I recommend using a Windows 2000 Server Certificate Authority (CA) for a Win2K domain because before you can install a Windows Server 2003 CA, you must upgrade your Win2K Active Directory (AD) schema--a somewhat involved process that requires planning and coordination. For more information about this process, go to http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us, then navigate to Getting Started\Installing and Upgrading the Operating System\How To...\Prepare for upgrades in a domain containing Windows 2000 domain controllers.

If you have a Windows 2003 domain, you might consider upgrading to Windows 2003, Enterprise Edition. Internet Authentication Service (IAS) needs only Windows 2003, Standard Edition, but using Windows 2003 Enterprise has advantages if you plan to use this server as a CA for issuing wireless LAN (WLAN) certificates and certificates for other purposes. A Windows 2003 Standard or Win2K CA limits you to two certificate types that might have more permissions than you'd like. For WLAN access, client computers need a certificate configured only with the client authentication purpose. Unfortunately, Windows 2003 Standard and Win2K CAs let you grant certificates based only on the Computer template or Domain Controller template, both of which have both client and server authentication purposes. Enrolling wireless client workstations with a certificate that includes the server authentication purpose isn't a huge risk, but you would be giving clients more than the minimum privileges.

Windows 2003 Enterprise provides several new certificate templates, including the Workstation template, which is limited to the client authentication purpose. Windows 2003 Enterprise also includes a new feature called certificate autoenrollment that makes deploying certificates to users and computers easier than ever. If you're deploying a large enterprise PKI and plan on issuing many certificates for different purposes, Windows 2003 Enterprise might be worth the investment. However, I don't think the extra cost is justified if you're just using the CA to issue certificates for your WLAN.