Share via

Deploy new AD CS Infra running in parallel with old one - What are the steps ?

Moreira, Adonis 0 Reputation points
2025-08-08T08:45:45.3166667+00:00

Hi,

I need to create a new PKI infrastructure using the recommended multi-tier where the Root CA is offline and Issuing CA is joined to the domain. Currently, both are joined to the Domain.

I want to have them running in parallel for a while to make sure there's no disruption in service.

We have Intune Joined devices that use certs requested via NDES. All DCs also have certs for LDAPS.

I've seen a lot of documentation on how to migrate from one server to another. But not much about having a new PKI running in parallel. Apart from repointing the NDES servers to the new AD CS servers, what other GPOs I need to configure to make sure DCs will use new AD CS ? What's the best way to force the issue of certificate for DCs and all devices ?

Last question, is there any issue about not having IIS installed for CRLs ? I would rather have all CRLs configured on a public storage so if the server is down for patching or anything machines can still check CRLs and it's also one less service to maintain.

Thank you

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hoang Phan0701 75 Reputation points Independent Advisor
    2025-08-13T06:07:32.8233333+00:00

    Dear Moreira Adonis,

    My name is Hoang Phan, and I understand that you are having some query related to PKI infrastructure.

    From my experience, it’s completely normal to have two or more PKI hierarchies in the same forest. However, based on my research, there’s no straightforward method (such as a GPO or direct configuration) to restrict a user or computer to request certificates from only a specific CA. By default, they will attempt to enroll from any available CA.

    One practical way to achieve this restriction is to publish the required certificate template only on the desired CA. This ensures that the user or computer can only contact that CA for enrollment.

    For the CRL Distribution Point (CDP), you can configure multiple URLs—it doesn’t have to be published solely on an IIS server. You can also use file share paths and LDAP paths. I recommend configuring multiple locations so that the CRL remains accessible even if one path becomes unavailable.

    If you’d like, I can provide a detailed explanation of the configuration steps. For further reading, here are some useful references:

    I hope this information proves helpful. Please don’t hesitate to reach out if you need further clarification—I’ll be happy to assist 🙂

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Hoang Phan

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.