Here are resources and comments about ADCS migration to 2012 R2:

Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest?

“Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects are representing those CAs are named and stored, you couldn’t possibly experience a conflict unless you tried to give more than one CA the same CA name.”

Why? USE CASE: the old 2008 R2 AD CS SHA1 hierarchy and the new SHA256 hierarchy running AD CS 2012 R2

Multiple PKI Hierarchies in the Same Environment:


Step by Step AD CS 2012 R2 two-tier PKI build:

CAPolicy.inf syntax:


Here are list of other web resources about AD CS:

2013: Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy :

AD CS 2008 R2 Installation Getting Started Guide:

Downloadable, printable job aids which include the most commonly used commands and procedures for administering Server Core installations are available at

Steps for installing a server role on a Server Core installation of Windows Server 2008 R2:

Unlike Windows Server 2008, Server Core installations of Windows Server 2008 R2 use Dism.exe to install and uninstall most server roles. For more information about Dism.exe, see

Installing Windows Features on a server running a Server Core installation of Windows Server 2008 R2:

Installing AD CS on a Server Core installation of Windows Server 2008 R2: By using PowerShell script: Setup Certification Authority with PowerShell

How to request and install a certificate on a server core:

AD CS and PKI Step-by-Steps, Labs, Walkthroughs, HowTo, and Examples:

AD CS 2008 step by step:

AD PKI 2003 step by step:

How to configure Certificate based authentication for OWA:

=> Example Step by Step:

Checklist: Configuring certificate Auto-Enrollment:


Checklist: Decommissioning a certification authority



ADCS Certificate Templates, how to, best practices and troubleshooting:

Certificate Services How To…

French technet articles:

Checklist: Creating a certification hierarchy with an offline root certification authority:

=> (superseded by: )

ADCS and firewall ports:


ADCS: Clean CA db

ADCS: New Hotfix to fix the CA private key missing from system states backups:

AD CS – Permissions and delegation model:

AD CS tool to install: PKI smtp exit module



AD CS Online Responder Services (OCSP) in a Network:

AD CS Online Responder Services (OCSP) in high availability mode with NLB:


ADCS deploying cross-forest certificate enrollment:

ADCS operations tasks:

ADCS and Powershell:

Codeplex: PKI Powershell module: