Solved

How to migrate Certificate Authority from Win2k3 'Server1' to Win2k8 'Server2'

Posted on 2008-10-01
13
4,302 Views
Last Modified: 2012-05-05
I have an old Windows 2003 DC that I'd like to demote as we are now running a new Windows 2008 DC. I cannot demote it, however, until the Certificate Authority is moved off of it.

- The old Windows 2003 DC is named 'Server1' (as an example)
- The new Windows 2008 DC is named 'Server2'

I know Microsoft's instructions say that you must move the CA to a server of the same name, but to do this would not be easy so I need to find a way to move the CA to the new Windows 2008 server without it having the same name as the old Windows 2003 server...

The Win2k3 CA has about 2 dozen 'Basic EFS' certificates, and a couple 'EFS Recovery Agent's, and one 'Web Server' certificate (for our Exchange 2007 OWA mail server).

Can anyone suggest my best option to get the CA moved over to the new Windows 2008 server? Is my only option to have it named the same as the old server?

Any suggestions would be appreciated!
0
Comment
Question by:trafsta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 9

Expert Comment

by:cdbeste
ID: 22615609
here is the instructions

http://support.microsoft.com/kb/298138


0
 
LVL 1

Author Comment

by:trafsta
ID: 22615635
Hi cdbeste,

I've previously read those instructions (well, skimmed through it...), and I'm pretty sure it states that the server name must remain the same: "The new server must have the same computer name as the old server."

Am I incorrect?
0
 
LVL 9

Expert Comment

by:cdbeste
ID: 22615727
I have searched and this is all I can find....

You can't change the name of a CA server. It states that VERY clearly at installation time.

If you have to rename a CA, you have to build a whole new CA infrastructure from scratch.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 1

Author Comment

by:trafsta
ID: 22615776
Yeah I figured that would be the answer I'd get. I inherited this mess from the people that previously set it up. 1 server as a DC, Exchange 2k3 server, DNS, DHCP, File server, Print Server, and SQL server all in one.... everything is now split up and virtualized, so I guess what I'm going to do is create another virtual server, likely 2k3, but possibly 2k8 with the same 'server1' name and it'll be the CA... doesn't sound like I have any other options, and I definitely want to keep the CA off on its own w/o any other services running on it.
0
 
LVL 9

Accepted Solution

by:
cdbeste earned 250 total points
ID: 22615831
take it all the way to 2008....
Then you won't have to do it again
in a few years...
0
 
LVL 1

Author Comment

by:trafsta
ID: 22615881
I'll try to go straight to 2008. Does the MS article you mentioned still apply to 2008 though? Hopefully the backup from 2003 and then the restore to 2008 works alright, not to mention the exporting registry settings from 2003 and then importing to 2008 (that makes me a bit nervous as I'd imagine some settings were bound to have changed since 2003).
0
 
LVL 1

Author Comment

by:trafsta
ID: 22616540
Seems that the whitepaper @ http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en gives detailed information on going from 2003 -> 2008 CA with a host name change. The hostname can change, but the CA name must remain the same. I read through most of it now and it looks rather complicated. I'm going to attempt it but I can see myself blowing things up quite badly lol... time will tell....

I guess I could always restore the CA to the old Windows 2003 server if my migration attempt to the 2008 server w/ a different host name fails...
0
 
LVL 1

Expert Comment

by:MS_help_guy
ID: 22616586
Run upgrade from 2003 to 2008, it should work.
0
 
LVL 1

Author Comment

by:trafsta
ID: 22616630
MS_help_guy:

So you are saying that when installing the AD CS services on the new 'server2' win2k8 DC it will prompt me to upgrade from the CA on the old win2k3 DC named 'server1'?
0
 
LVL 1

Author Comment

by:trafsta
ID: 22616659
Nevermind, you must not be saying that.. as I just tried that and I dont see upgrade anywhere... I guess you're referring to upgrading the Win2k3 server to Win2k8 and the CA should then upgrade automatically? Unfortunately the old server hardware is being decommissioned. The new win2k8 DC server is a hyper-v virtual server and it is already up and running. Hmmm...
0
 
LVL 4

Assisted Solution

by:placebo69a
placebo69a earned 250 total points
ID: 22617937
1.    Backup the CA database and private key and export the CA registry configuration from the Windows Server 2003.


2.    Remove Certificate Services from the Windows Server 2003 server.


3.    Set up a enterprise root CA on a computer running Windows Server 2008 with the root CA certificate (with private key) that is exported from the Windows Server 2003 server.


4.    Restoring the CA Database on the Windows Server 2008 Computer.


5.    After you restart the certificate service on the Windows Server 2008, it functions well for enrolling certificates without restoring the CA Configuration (registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\configuration from the Windows Server 2003).


Please make sure to perform a complete server backup on the Windows Server 2003 before migrating the CA (remove Certificate Services).

Let me know how it turned out :)
0
 
LVL 1

Author Comment

by:trafsta
ID: 22618098
Holy sh*t... I followed the whitepaper and the advice of you guys on here and it seems to have worked. I have moved the CA from Win2k3 DC 'Server1' by backing up the CA, uninstalling the CA, demoting the DC (not necessary, you can keep the DC around if you want), then installing the CA on Win2k8 DC 'Server2' and editing the registry settings so that the CA is still named 'Server1' but the registry REG_SZ "CAServerName" is 'Server2'. I tried creating an encrypted file under a test user account and it auto generated the Basic EFS certificate on the new CA Win2k8 'Server2' server just fine... that wasn't as bad as I thought...

Thanks everyone!
0
 
LVL 4

Expert Comment

by:placebo69a
ID: 22619631
you're welcome!
all's well that ends well :)
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question