We have a old Win 2008 CA server and we just setup a new Windows 2019 root CA server (standalone, domain joint) and found new root CA cannot deploy root certificate to domain client automatically.
After some checking, seems AD only can auto deploy the root certificate from Win2008 CA, but the new Win2019 CA cannot. Do the AD recognize the old Win2008 CA is the "primary CA", so the other root CA cannot auto deploy their root certificate?
I know we can use GPO to deploy root certificate. But as we will remove that Win2008 CA later, how to change the "Primary CA" to the new CA?