Solved

How to migrate Certificate Authority from Win2k3 'Server1' to Win2k8 'Server2'

Posted on 2008-10-01
13
4,264 Views
Last Modified: 2012-05-05
I have an old Windows 2003 DC that I'd like to demote as we are now running a new Windows 2008 DC. I cannot demote it, however, until the Certificate Authority is moved off of it.

- The old Windows 2003 DC is named 'Server1' (as an example)
- The new Windows 2008 DC is named 'Server2'

I know Microsoft's instructions say that you must move the CA to a server of the same name, but to do this would not be easy so I need to find a way to move the CA to the new Windows 2008 server without it having the same name as the old Windows 2003 server...

The Win2k3 CA has about 2 dozen 'Basic EFS' certificates, and a couple 'EFS Recovery Agent's, and one 'Web Server' certificate (for our Exchange 2007 OWA mail server).

Can anyone suggest my best option to get the CA moved over to the new Windows 2008 server? Is my only option to have it named the same as the old server?

Any suggestions would be appreciated!
0
Comment
Question by:trafsta
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 9

Expert Comment

by:cdbeste
ID: 22615609
here is the instructions

http://support.microsoft.com/kb/298138


0
 
LVL 1

Author Comment

by:trafsta
ID: 22615635
Hi cdbeste,

I've previously read those instructions (well, skimmed through it...), and I'm pretty sure it states that the server name must remain the same: "The new server must have the same computer name as the old server."

Am I incorrect?
0
 
LVL 9

Expert Comment

by:cdbeste
ID: 22615727
I have searched and this is all I can find....

You can't change the name of a CA server. It states that VERY clearly at installation time.

If you have to rename a CA, you have to build a whole new CA infrastructure from scratch.
0
 
LVL 1

Author Comment

by:trafsta
ID: 22615776
Yeah I figured that would be the answer I'd get. I inherited this mess from the people that previously set it up. 1 server as a DC, Exchange 2k3 server, DNS, DHCP, File server, Print Server, and SQL server all in one.... everything is now split up and virtualized, so I guess what I'm going to do is create another virtual server, likely 2k3, but possibly 2k8 with the same 'server1' name and it'll be the CA... doesn't sound like I have any other options, and I definitely want to keep the CA off on its own w/o any other services running on it.
0
 
LVL 9

Accepted Solution

by:
cdbeste earned 250 total points
ID: 22615831
take it all the way to 2008....
Then you won't have to do it again
in a few years...
0
 
LVL 1

Author Comment

by:trafsta
ID: 22615881
I'll try to go straight to 2008. Does the MS article you mentioned still apply to 2008 though? Hopefully the backup from 2003 and then the restore to 2008 works alright, not to mention the exporting registry settings from 2003 and then importing to 2008 (that makes me a bit nervous as I'd imagine some settings were bound to have changed since 2003).
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:trafsta
ID: 22616540
Seems that the whitepaper @ http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en gives detailed information on going from 2003 -> 2008 CA with a host name change. The hostname can change, but the CA name must remain the same. I read through most of it now and it looks rather complicated. I'm going to attempt it but I can see myself blowing things up quite badly lol... time will tell....

I guess I could always restore the CA to the old Windows 2003 server if my migration attempt to the 2008 server w/ a different host name fails...
0
 
LVL 1

Expert Comment

by:MS_help_guy
ID: 22616586
Run upgrade from 2003 to 2008, it should work.
0
 
LVL 1

Author Comment

by:trafsta
ID: 22616630
MS_help_guy:

So you are saying that when installing the AD CS services on the new 'server2' win2k8 DC it will prompt me to upgrade from the CA on the old win2k3 DC named 'server1'?
0
 
LVL 1

Author Comment

by:trafsta
ID: 22616659
Nevermind, you must not be saying that.. as I just tried that and I dont see upgrade anywhere... I guess you're referring to upgrading the Win2k3 server to Win2k8 and the CA should then upgrade automatically? Unfortunately the old server hardware is being decommissioned. The new win2k8 DC server is a hyper-v virtual server and it is already up and running. Hmmm...
0
 
LVL 4

Assisted Solution

by:placebo69a
placebo69a earned 250 total points
ID: 22617937
1.    Backup the CA database and private key and export the CA registry configuration from the Windows Server 2003.


2.    Remove Certificate Services from the Windows Server 2003 server.


3.    Set up a enterprise root CA on a computer running Windows Server 2008 with the root CA certificate (with private key) that is exported from the Windows Server 2003 server.


4.    Restoring the CA Database on the Windows Server 2008 Computer.


5.    After you restart the certificate service on the Windows Server 2008, it functions well for enrolling certificates without restoring the CA Configuration (registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\configuration from the Windows Server 2003).


Please make sure to perform a complete server backup on the Windows Server 2003 before migrating the CA (remove Certificate Services).

Let me know how it turned out :)
0
 
LVL 1

Author Comment

by:trafsta
ID: 22618098
Holy sh*t... I followed the whitepaper and the advice of you guys on here and it seems to have worked. I have moved the CA from Win2k3 DC 'Server1' by backing up the CA, uninstalling the CA, demoting the DC (not necessary, you can keep the DC around if you want), then installing the CA on Win2k8 DC 'Server2' and editing the registry settings so that the CA is still named 'Server1' but the registry REG_SZ "CAServerName" is 'Server2'. I tried creating an encrypted file under a test user account and it auto generated the Basic EFS certificate on the new CA Win2k8 'Server2' server just fine... that wasn't as bad as I thought...

Thanks everyone!
0
 
LVL 4

Expert Comment

by:placebo69a
ID: 22619631
you're welcome!
all's well that ends well :)
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now