trafsta
asked on
How to migrate Certificate Authority from Win2k3 'Server1' to Win2k8 'Server2'
I have an old Windows 2003 DC that I'd like to demote as we are now running a new Windows 2008 DC. I cannot demote it, however, until the Certificate Authority is moved off of it.
- The old Windows 2003 DC is named 'Server1' (as an example)
- The new Windows 2008 DC is named 'Server2'
I know Microsoft's instructions say that you must move the CA to a server of the same name, but to do this would not be easy so I need to find a way to move the CA to the new Windows 2008 server without it having the same name as the old Windows 2003 server...
The Win2k3 CA has about 2 dozen 'Basic EFS' certificates, and a couple 'EFS Recovery Agent's, and one 'Web Server' certificate (for our Exchange 2007 OWA mail server).
Can anyone suggest my best option to get the CA moved over to the new Windows 2008 server? Is my only option to have it named the same as the old server?
Any suggestions would be appreciated!
- The old Windows 2003 DC is named 'Server1' (as an example)
- The new Windows 2008 DC is named 'Server2'
I know Microsoft's instructions say that you must move the CA to a server of the same name, but to do this would not be easy so I need to find a way to move the CA to the new Windows 2008 server without it having the same name as the old Windows 2003 server...
The Win2k3 CA has about 2 dozen 'Basic EFS' certificates, and a couple 'EFS Recovery Agent's, and one 'Web Server' certificate (for our Exchange 2007 OWA mail server).
Can anyone suggest my best option to get the CA moved over to the new Windows 2008 server? Is my only option to have it named the same as the old server?
Any suggestions would be appreciated!
ASKER
Hi cdbeste,
I've previously read those instructions (well, skimmed through it...), and I'm pretty sure it states that the server name must remain the same: "The new server must have the same computer name as the old server."
Am I incorrect?
I've previously read those instructions (well, skimmed through it...), and I'm pretty sure it states that the server name must remain the same: "The new server must have the same computer name as the old server."
Am I incorrect?
I have searched and this is all I can find....
You can't change the name of a CA server. It states that VERY clearly at installation time.
If you have to rename a CA, you have to build a whole new CA infrastructure from scratch.
You can't change the name of a CA server. It states that VERY clearly at installation time.
If you have to rename a CA, you have to build a whole new CA infrastructure from scratch.
ASKER
Yeah I figured that would be the answer I'd get. I inherited this mess from the people that previously set it up. 1 server as a DC, Exchange 2k3 server, DNS, DHCP, File server, Print Server, and SQL server all in one.... everything is now split up and virtualized, so I guess what I'm going to do is create another virtual server, likely 2k3, but possibly 2k8 with the same 'server1' name and it'll be the CA... doesn't sound like I have any other options, and I definitely want to keep the CA off on its own w/o any other services running on it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll try to go straight to 2008. Does the MS article you mentioned still apply to 2008 though? Hopefully the backup from 2003 and then the restore to 2008 works alright, not to mention the exporting registry settings from 2003 and then importing to 2008 (that makes me a bit nervous as I'd imagine some settings were bound to have changed since 2003).
ASKER
Seems that the whitepaper @ http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en gives detailed information on going from 2003 -> 2008 CA with a host name change. The hostname can change, but the CA name must remain the same. I read through most of it now and it looks rather complicated. I'm going to attempt it but I can see myself blowing things up quite badly lol... time will tell....
I guess I could always restore the CA to the old Windows 2003 server if my migration attempt to the 2008 server w/ a different host name fails...
I guess I could always restore the CA to the old Windows 2003 server if my migration attempt to the 2008 server w/ a different host name fails...
Run upgrade from 2003 to 2008, it should work.
ASKER
MS_help_guy:
So you are saying that when installing the AD CS services on the new 'server2' win2k8 DC it will prompt me to upgrade from the CA on the old win2k3 DC named 'server1'?
So you are saying that when installing the AD CS services on the new 'server2' win2k8 DC it will prompt me to upgrade from the CA on the old win2k3 DC named 'server1'?
ASKER
Nevermind, you must not be saying that.. as I just tried that and I dont see upgrade anywhere... I guess you're referring to upgrading the Win2k3 server to Win2k8 and the CA should then upgrade automatically? Unfortunately the old server hardware is being decommissioned. The new win2k8 DC server is a hyper-v virtual server and it is already up and running. Hmmm...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Holy sh*t... I followed the whitepaper and the advice of you guys on here and it seems to have worked. I have moved the CA from Win2k3 DC 'Server1' by backing up the CA, uninstalling the CA, demoting the DC (not necessary, you can keep the DC around if you want), then installing the CA on Win2k8 DC 'Server2' and editing the registry settings so that the CA is still named 'Server1' but the registry REG_SZ "CAServerName" is 'Server2'. I tried creating an encrypted file under a test user account and it auto generated the Basic EFS certificate on the new CA Win2k8 'Server2' server just fine... that wasn't as bad as I thought...
Thanks everyone!
Thanks everyone!
you're welcome!
all's well that ends well :)
all's well that ends well :)
http://support.microsoft.com/kb/298138