I'm planning on upgrading our Windows 2003 CA's to 2008 R2. I am thinking about making the new CA's clustered. My issue is that I have two Intermediate CA's that I'd like to consolidate into one database so I can cluster it. I'm wondering if that is even possible. If not I'm thinking I'd have to reissue new certs on one of the CA's and retire the second then do the upgrade. Has anyone ever done this?David Jenkins

Windows CA supports only 2-node Active/Passive Server Cluster scheme. This means that, both CAs shares: CA name;CA certificates and private keys;CA database;CA configuration;Active Directory related objects. that is, that both nodes of the cluster MUST have the same CA certificate and associated private keys. Since you already have 2 CAs, which (most likely) have different names, you cannot join them into the same cluster. Your last sentence is correct, you will have to decomission and retire one server and add second node to the cluster. Here is a whitepaper that will surround you in this process: http://www.microsoft.com/en-us/download/details.aspx?id=331My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

That's what I thought. The two sub CA's of course have separate names. I'll review the link and hopefully figure out how much of a pain it will be to retire one of the CA's.David Jenkins

it depends on your infrastructure workflow procedures. The best way is to: Prepare, set up and configure clustered CA.When you ensure that it works as expected, you can remove all templates from the 2nd CA, so it will not issue any certificates.Dump 2nd CA's database for any valid (time valid) certificate to identlify cert holders. If active certificates were issued to offline users and/or computers (which are not members of your Active Directory forest), then you will have to reissue certificates to them first. If active certificates were issued to domain computers and manual enrollment was used (manual when you supply subject information during enrollment, like you enroll for SSL certificates), you will have to reissue certificates to such servers too. If certificates were issued by using autoenrollment (automatically), you can revoke them and autoenrollment trigger automatically detects this and reenrolls certificates from clustered CA.Only then you can start CA decommission process: http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

You just covered all the questions I had. Thanks a bunch.David Jenkins