I did this recently for a customer with many non-domain members in the internal network. It made no sense to use the AD Enterprise Root CA because this meant we had to distribute the CA cert to the clients.
I would look to deploy a new AD Root CA if there were a lot of other services which require certificates, but I'm getting to the tipping point where managing the additional servers etc. actually cost more than buying certs from a public CA!
I think I'll go the public CA way. Thanks for the quick reply.
Failure is an indispensable prerequisite of success. It is how you learn the lessons you need.
The Lync implementation at my organization uses 100% public certificates for the same reason - lost of non-domain PCs.
Michael D'Angelo (former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)(MS)NMDANGE PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org