Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

Hi, my existing setup is/was simple. Had a single site active
directory for 30 users and an exchange server.

All computer workstation identification certs were pushed out via
autoenrollment and as such they trust the root CA which was the one to
issue the certificates.

As i will now have a number of sites i think it would be prudent to
have subordinate CAs at each remote location to issue certificates
there.

My question is, how would this affect the current computers having the
existing CA where it is directly issued from the enterprise root,
compared to other computers who were issued via the subordinate CA
when i get them running? Im guessing not much, since all computers
will trust the root anyway through thet certificate tree? Only down
side is if the root got comprimised in this scenario since they would
still trust it.

To aid my understanding, do enterprise root CA issue certificates to
workstations by default? Im guessing not, since i had to create a
workstation identification template.

How could i ensure in future that the root CA only issues certificates
for other subordinate CA's and NOT workstations? Would this be through
the certificate management mmc console? Is this controlled by active
directory GPO or some other setting?

What is the purpose of having a root enterprise CA and subordinate
enterprise CA? I cant see much benefit and indeedd maybe this is less
secure as the root is online... this is fine for small networks but i
have found may no longer be ideal for me.

Can active directory automatically publish the revocation list to http
for it to check? Do i need to have IIS running on the server? I see
the url for revocation checking but when i type it in in my browser i
get a blank page again i presume because IIS is not running.

Finally, given the site links are expanding, Is it possible to move my
existing enterprise root CA to a standalone root CA, and then create
multiple subordinate CAs to issue certs on the clients behalf? This
would be the ideal setup as a managed upgrading process. Can i move
the root enterprise CA to an offline root CA?

Many thanks in advance,

Chris
.

Relevant Pages

  • Convert Enterprise Root CA to Standalone CA and moving to Multiple Subordinate CA structure
    ... All computer workstation identification certs were pushed out via ... autoenrollment and as such they trust the root CA which was the one to ... have subordinate CAs at each remote location to issue certificates ... how would this affect the current computers having the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)
  • NTP time reset?
    ... I am using ntp to synchronise time between 2 computers. ... root by ... My doubt is in the last line in the above log, the time reset values is ... those of the individual sender unless otherwise stated. ...
    (RedHat)
  • Re: Migration to New Subdomain
    ... My goal is to move just a couple of users and computers from ... the root domain to a new sub level domain. ... computers under root and put them in the new sub domain. ... Currently users access resources ie printers etc on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Parrent and Child GPOs
    ... Hi Jesper, a Site can contains computers from multiple domains in the ... create a GPO at Site level the particular GPO will apply to all computers in ... the computer running my root domain) or I can create/or link a GPO ...
    (microsoft.public.win2000.active_directory)