If you have commonly asked questions about certificate services or PKI that you think should be listed in the Active Directory Certificate Services Frequently Asked Questions (AD CS FAQ) list, I encourage you to submit them to the TechNet Wiki posting http://social.technet.microsoft.com/wiki/contents/articles/ad-cs-faq.aspx. Don't worry about the formatting, I can clean that up, if needed. Also, if you would rather have me add something for you, feel free to just reply to this blog. Thank you!
You should also associate the AD CS FAQ with ADCS FAQ, ADCS Answers, and AD CS Answers.
One thing I found myself doing before I even started my build was to go out and try and find horror stories. For example, some people just want to know... Are there any dangers to installing the Enterprise Issuing CA? Can it affect logins? Could it render the domain unusble. I think a good outline of potential risks and "gotchas" would be nice to read.
I spent a couple of months looking over documentation and other blog postings about upgrading the servers that run our PKI. I specifically was looking to move our Enterprise Root CA to a Stand-Alone Root CA. I pulled it off, but finding the documentation was not easy to do. I now need to find a way to make our Issuing CA's renew or acquire a subCA certificate that is longer than the riginal 2 years.
Right now the ASKDS blog (blogs.technet.com/.../askds) has good information about migrating certification authorities, especially the single to multiple tier migration.
As for the renewing the issuing CA certificates, you just need to duplicate the Subordinate Certification Authority template, make your modifications, then Issue that template. Finally, use the option to Renew the CA Certificate in the Issuing CA Certification