We have a long standing domain that was originally built with 2003 DC's and still has an old Server 2003R2 Certification Authority in place.
I'm now looking to introduce a new Server 2012 R2 CA but I'm unsure of the impact on any existing certs provided by the original legacy CA, my intuition tells me that there shouldn't be any issues for existing certs and that I can request new ones from the new 2012 CA (once deployed) but I'm not too sure on the bit about PKI Hierarchy with server 2012.
Options for the new 2012 CA are either Root CA or Subordinate CA (Root is highlighted as default), from my research I don't believe a 2012 CA can be a subordinate of a 2003 CA.
I'm not sure if I should set the new CA as Root or Subordinate, if I create a it as Root will this result in any existing certs from the 2003 CA being revoked/untrusted?
DC's have been replaced a while back and are now running server 2008 R2 and both forrest and domain functioning levels are now 2008R2.
Any comments from people who have been in similar scenarios or other thoughts on this would be much appreciated.
Mike