I am working at a company that has two locations (let's call them Site A and B) with one common AD domain, we are in the process of selling off one of the locations. We want to split the network (i.e. Site A and B will operate independently of each other), but still use the same domain and network resources at both locations (i.e. print, file, etc.). Once the physical network is split we will just remove the AD references to the previous location. The one thing I am concerned about is that we only have one Active Directory Certificate Services (AD CS) server where we have the main root certificate server at one location and not the other one.
Is there a way to setup a secondary root certificate server so that we can still maintain the original PKI infrastructure at both locations? For example, after we split the locations can we stand up a new PKI server on the domain without this service and utilize it. Not sure how that will work. Would it be easier to setup a new PKI server with a new root certificate?
Please let me know if you can provide any advice?