I've got a single-tier certificate authority running on a 2008 r2 domain controller with an expiring root certificate. I have a new 2012 r2 domain controller with a new single-tier certificate authority. I also have a DirectAccess server running on 2012 server (two NICs, NAT, IP-HTTPS only). I'd like to get a new DirectAccess server set up running server 2012 r2 using the new CA for the various DirectAccess server and client computer certs. I can get the new environment working and flip machines from the existing implementation to the new implementation.
I was previously told by a tech working one of my Microsoft support tickets that two independent DirectAccess servers can't run in the same domain. However, I posted a related question https://social.technet.microsoft.com/Forums/projectserver/en-US/ab53a314-91ea-4d40-afd5-6b8f62698547/2012-directaccess-and-expiring-certificate-authority?forum=winserverNIS and got a response indicating that two independent DirectAccess servers can run in the same domain. If I can carefully get a second server operational within the same domain, I can build a reg file to deploy to all machines prior to the cutover that will simulate the gpupdate for broken machines in the field, getting them connected so the policy can be properly pulled from a DC. Would anyone else be willing to confirm or elaborate on operating two independent DirectAccess servers in the same domain? What are the gotchas?