I'm planning on upgrading our Windows 2003 CA's to 2008 R2. I am thinking about making the new CA's clustered. My issue is that I have two Intermediate CA's that I'd like to consolidate into one database so I can cluster it. I'm wondering if that is even possible. If not I'm thinking I'd have to reissue new certs on one of the CA's and retire the second then do the upgrade. Has anyone ever done this?David Jenkins

Windows CA supports only 2-node Active/Passive Server Cluster scheme. This means that, both CAs shares: CA name;CA certificates and private keys;CA database;CA configuration;Active Directory related objects. that is, that both nodes of the cluster MUST have the same CA certificate and associated private keys. Since you already have 2 CAs, which (most likely) have different names, you cannot join them into the same cluster. Your last sentence is correct, you will have to decomission and retire one server and add second node to the cluster. Here is a whitepaper that will surround you in this process: http://www.microsoft.com/en-us/download/details.aspx?id=331My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

That's what I thought. The two sub CA's of course have separate names. I'll review the link and hopefully figure out how much of a pain it will be to retire one of the CA's.David Jenkins

You just covered all the questions I had. Thanks a bunch.David Jenkins