• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4327
  • Last Modified:

How to migrate Certificate Authority from Win2k3 'Server1' to Win2k8 'Server2'

I have an old Windows 2003 DC that I'd like to demote as we are now running a new Windows 2008 DC. I cannot demote it, however, until the Certificate Authority is moved off of it.

- The old Windows 2003 DC is named 'Server1' (as an example)
- The new Windows 2008 DC is named 'Server2'

I know Microsoft's instructions say that you must move the CA to a server of the same name, but to do this would not be easy so I need to find a way to move the CA to the new Windows 2008 server without it having the same name as the old Windows 2003 server...

The Win2k3 CA has about 2 dozen 'Basic EFS' certificates, and a couple 'EFS Recovery Agent's, and one 'Web Server' certificate (for our Exchange 2007 OWA mail server).

Can anyone suggest my best option to get the CA moved over to the new Windows 2008 server? Is my only option to have it named the same as the old server?

Any suggestions would be appreciated!
0
trafsta
Asked:
trafsta
  • 7
  • 3
  • 2
  • +1
2 Solutions
 
cdbesteCommented:
here is the instructions

http://support.microsoft.com/kb/298138


0
 
trafstaAuthor Commented:
Hi cdbeste,

I've previously read those instructions (well, skimmed through it...), and I'm pretty sure it states that the server name must remain the same: "The new server must have the same computer name as the old server."

Am I incorrect?
0
 
cdbesteCommented:
I have searched and this is all I can find....

You can't change the name of a CA server. It states that VERY clearly at installation time.

If you have to rename a CA, you have to build a whole new CA infrastructure from scratch.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
trafstaAuthor Commented:
Yeah I figured that would be the answer I'd get. I inherited this mess from the people that previously set it up. 1 server as a DC, Exchange 2k3 server, DNS, DHCP, File server, Print Server, and SQL server all in one.... everything is now split up and virtualized, so I guess what I'm going to do is create another virtual server, likely 2k3, but possibly 2k8 with the same 'server1' name and it'll be the CA... doesn't sound like I have any other options, and I definitely want to keep the CA off on its own w/o any other services running on it.
0
 
cdbesteCommented:
take it all the way to 2008....
Then you won't have to do it again
in a few years...
0
 
trafstaAuthor Commented:
I'll try to go straight to 2008. Does the MS article you mentioned still apply to 2008 though? Hopefully the backup from 2003 and then the restore to 2008 works alright, not to mention the exporting registry settings from 2003 and then importing to 2008 (that makes me a bit nervous as I'd imagine some settings were bound to have changed since 2003).
0
 
trafstaAuthor Commented:
Seems that the whitepaper @ http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en gives detailed information on going from 2003 -> 2008 CA with a host name change. The hostname can change, but the CA name must remain the same. I read through most of it now and it looks rather complicated. I'm going to attempt it but I can see myself blowing things up quite badly lol... time will tell....

I guess I could always restore the CA to the old Windows 2003 server if my migration attempt to the 2008 server w/ a different host name fails...
0
 
MS_help_guyCommented:
Run upgrade from 2003 to 2008, it should work.
0
 
trafstaAuthor Commented:
MS_help_guy:

So you are saying that when installing the AD CS services on the new 'server2' win2k8 DC it will prompt me to upgrade from the CA on the old win2k3 DC named 'server1'?
0
 
trafstaAuthor Commented:
Nevermind, you must not be saying that.. as I just tried that and I dont see upgrade anywhere... I guess you're referring to upgrading the Win2k3 server to Win2k8 and the CA should then upgrade automatically? Unfortunately the old server hardware is being decommissioned. The new win2k8 DC server is a hyper-v virtual server and it is already up and running. Hmmm...
0
 
placebo69aCommented:
1.    Backup the CA database and private key and export the CA registry configuration from the Windows Server 2003.


2.    Remove Certificate Services from the Windows Server 2003 server.


3.    Set up a enterprise root CA on a computer running Windows Server 2008 with the root CA certificate (with private key) that is exported from the Windows Server 2003 server.


4.    Restoring the CA Database on the Windows Server 2008 Computer.


5.    After you restart the certificate service on the Windows Server 2008, it functions well for enrolling certificates without restoring the CA Configuration (registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\configuration from the Windows Server 2003).


Please make sure to perform a complete server backup on the Windows Server 2003 before migrating the CA (remove Certificate Services).

Let me know how it turned out :)
0
 
trafstaAuthor Commented:
Holy sh*t... I followed the whitepaper and the advice of you guys on here and it seems to have worked. I have moved the CA from Win2k3 DC 'Server1' by backing up the CA, uninstalling the CA, demoting the DC (not necessary, you can keep the DC around if you want), then installing the CA on Win2k8 DC 'Server2' and editing the registry settings so that the CA is still named 'Server1' but the registry REG_SZ "CAServerName" is 'Server2'. I tried creating an encrypted file under a test user account and it auto generated the Basic EFS certificate on the new CA Win2k8 'Server2' server just fine... that wasn't as bad as I thought...

Thanks everyone!
0
 
placebo69aCommented:
you're welcome!
all's well that ends well :)
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 7
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now