Solved

How to migrate Windows Server 2008 Certificate Authority from x86 to x64

Posted on 2009-07-15
6
2,167 Views
Last Modified: 2013-11-29
Looking to upgrade our root CA from a 32-bit server to a 64-bit server.
Multiple documentation sources state that it is not possible to Backup a 32-bit CA and restore it to x64, however none that I have seen show how to actually complete a CA migration from a 32-bit to a 64-bit Windows Server.  Is there a method?  If so, what is the preferred methodor where can I find documentation?  I can't believe that a migration path wouldn't exist.

Thanks.
0
Comment
Question by:cj52973
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:FOTC
ID: 24859670
Check these out...they could help:

This is mainly for Server 2003 but the concepts are pretty much the same...

How to move a certification authority to another server:
http://support.microsoft.com/kb/298138

This is more for Server 2008...

Move a CA to a Different Computer
http://technet.microsoft.com/en-us/library/cc755153%28WS.10%29.aspx
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24859675
You would want to run parallel PKIs until your migration is complete to the new CA.  Install a new root CA and subordinate CA, deploy the new root via GPO, etc., and start replacing all the certs you have issued from the old PKI while leaving it online.  

When replacing the certs, it is easiest to start with the autoenrollment certs first - just issue the autoenroll templates to the new CA and delete them from the old CA from the Certification Authorities MMC under the Certificate Templates folder (ok to delete here - do not delete from Certificate Templates MMC).  Note that LDAP servers (i.e. your DC) will need to be rebooted afterwards to start using the new cert instead of the old cached cert.  You can manually check autoenrollment events using the command 'certutil -pulse' from the requesting box.

You can check your cert database on your old CA and sort by template name, then right click the issued certificates folder and export to .csv file that you can access in Excel.  If you have a larger database, you may need to filter by certificate expiration date > time right now and see if that helps, else add a second line for expiration date < 1 month/year/whatever ahead and make multiple .csv files.

Once you are confident you have replaced them all, do not issue the next CRL from the old root until after the existing one has expired, then give it a week.  If there was anything that you missed, that will make most certificate types stand out like a sore thumb.  The primary exception to this would be if you use EFS - that does not do any revocation checking by design.  Afterwards, you can create an extended CRL lifetime to match the lifetime of the existing CA certificate(s) and publish those, then make a final archival backup copy and take it offline.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0
 
LVL 8

Expert Comment

by:FOTC
ID: 24859685
oh...and you're correct...you can't upgrade from 32 bit to 64 bit. You have to do a reinstall. The underlying architecture is way too different.
0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24859725
FOTC - from your first link:
" there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database."

cj52973 already made note of that in the original question.
0
 
LVL 8

Expert Comment

by:FOTC
ID: 24859930
im well aware of that. i was just showing M$ documentation.
0
 
LVL 2

Author Closing Comment

by:cj52973
ID: 31603724
Yep, that's what I thought - I was just wishing I was wrong.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question