This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 43%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi,
We have a old Win 2008 CA server and we just setup a new Windows 2019 root CA server (standalone, domain joint) and found new root CA cannot deploy root certificate to domain client automatically.
After some checking, seems AD only can auto deploy the root certificate from Win2008 CA, but the new Win2019 CA cannot. Do the AD recognize the old Win2008 CA is the "primary CA", so the other root CA cannot auto deploy their root certificate?
I know we can use GPO to deploy root certificate. But as we will remove that Win2008 CA later, how to change the "Primary CA" to the new CA?
Thanks
Best Regards
Chong
Hi @Chong
You have used two contradicting terms to define your new CA, it can be a standalone or domain (enterprise), but not both. If it's a standalone root CA, then you will need to publish the root certificate in the AD using the certutil -dspublish command.
Gary.
Hi @Gary Reynolds ,
Thanks for the reply
I am not sure this is the problem root cause or not, and it may not the standard CA structure. But my CA server is domain joint, and select "standalone" and "Root CA" during setup CA.
Although the "certutil -dspublish" (and also use GPO) can publish the root certificate, we need to change the new CA to "primary" in AD so the root certificate can auto publish to client when we renew the root certificate each time.
Thanks
Chong