Solved

How to migrate Windows Server 2008 Certificate Authority from x86 to x64

Posted on 2009-07-15
6
2,076 Views
Last Modified: 2013-11-29
Looking to upgrade our root CA from a 32-bit server to a 64-bit server.
Multiple documentation sources state that it is not possible to Backup a 32-bit CA and restore it to x64, however none that I have seen show how to actually complete a CA migration from a 32-bit to a 64-bit Windows Server.  Is there a method?  If so, what is the preferred methodor where can I find documentation?  I can't believe that a migration path wouldn't exist.

Thanks.
0
Comment
Question by:cj52973
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:FOTC
ID: 24859670
Check these out...they could help:

This is mainly for Server 2003 but the concepts are pretty much the same...

How to move a certification authority to another server:
http://support.microsoft.com/kb/298138

This is more for Server 2008...

Move a CA to a Different Computer
http://technet.microsoft.com/en-us/library/cc755153%28WS.10%29.aspx
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24859675
You would want to run parallel PKIs until your migration is complete to the new CA.  Install a new root CA and subordinate CA, deploy the new root via GPO, etc., and start replacing all the certs you have issued from the old PKI while leaving it online.  

When replacing the certs, it is easiest to start with the autoenrollment certs first - just issue the autoenroll templates to the new CA and delete them from the old CA from the Certification Authorities MMC under the Certificate Templates folder (ok to delete here - do not delete from Certificate Templates MMC).  Note that LDAP servers (i.e. your DC) will need to be rebooted afterwards to start using the new cert instead of the old cached cert.  You can manually check autoenrollment events using the command 'certutil -pulse' from the requesting box.

You can check your cert database on your old CA and sort by template name, then right click the issued certificates folder and export to .csv file that you can access in Excel.  If you have a larger database, you may need to filter by certificate expiration date > time right now and see if that helps, else add a second line for expiration date < 1 month/year/whatever ahead and make multiple .csv files.

Once you are confident you have replaced them all, do not issue the next CRL from the old root until after the existing one has expired, then give it a week.  If there was anything that you missed, that will make most certificate types stand out like a sore thumb.  The primary exception to this would be if you use EFS - that does not do any revocation checking by design.  Afterwards, you can create an extended CRL lifetime to match the lifetime of the existing CA certificate(s) and publish those, then make a final archival backup copy and take it offline.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0
 
LVL 7

Expert Comment

by:FOTC
ID: 24859685
oh...and you're correct...you can't upgrade from 32 bit to 64 bit. You have to do a reinstall. The underlying architecture is way too different.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24859725
FOTC - from your first link:
" there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database."

cj52973 already made note of that in the original question.
0
 
LVL 7

Expert Comment

by:FOTC
ID: 24859930
im well aware of that. i was just showing M$ documentation.
0
 
LVL 2

Author Closing Comment

by:cj52973
ID: 31603724
Yep, that's what I thought - I was just wishing I was wrong.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wondershare 17 55
Why does my public IP keep changing? 6 62
PDF to JPG 13 44
Unable to Uninstall Visual Studio 2015 7 23
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now