Move Certificate Authority server from DC to new server

percussed used Ask the Experts™
I'm in the process of decommissioning my primary dc "C". I've transfered the roles to the new dc "N". And all is well. I just shut down C and again all is well. I've been following KB 298138, to move my CA. When I got to the note "The new server must have the same computer name as the old server. " All well and good, but I'm afraid to name anything C, won't it be mistaken for my old dc. Our CA issues mainly User cets for our wifi authentication.

Do I simply have to remove C from DNS, and AD (anywhere else I should check?), prior to adding the new C to the domain? Should I mention that C and new C are both VMs?

Is it best to have the CA on a server that isn't a dc?

Are there other issues to consider?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
renaming the computer is not a problem, and you might need to remove the old computer host records but the only question will your old server be back again, if yes before continue switch on the C computer and rename it to something else and don't worry about the naming


Thanks for the reply.

It spoke too soon about all being well. My exchange server is not happy, nor is my File server with my  users' redirected My Doc folders. I also forgot to change the DNS on some of the server's ntwk adapters.

I guess I didn't have everything prepared, I'm missing some steps in decommissioning my DC "C". Now I'm just trying to get things running again. I've restarted C, and Exchg worked for a minute this morning but now is not functioning, My Docs appear ok now and I'm able to synchronize.

I found this article on decommissioning a DC::
You need to move any fsmo roles from this dc to another dc (KB255960)     DONE
To learn where the roles reside run the command     netdom query fsmo
If the PDCe fsmo role resided on this DC then you need to reconfigure the new holder of the PDCe to either use the internal hardware clock or an external source.  I would recommend using an external source KB816042.     N/A
There needs to be at least one Global Catalog (GC) in each domain and it is recommended that there is one in each site (KB313994)      DONE
Move DNS services to other DC’s if this DC is a DNS provider.  Also point all clients that use this server for DNS to the new DNS server     DONE NOW
If AD integrated simply installing DNS on a member server prior to promotion will bring up a new DNS server   DONE
If not AD integrated and this is a primary server then a new primary server will need to be brought online.  From DNS server manager the server needs to be promoted to primary
If a secondary server then make the new dc a new secondary server
If a dhcp server then the dhcp servers database needs to be backed up and copied to the new dhcp server.  The old dhcp server deauthorized and the new dhcp server authorized (KB325473)   DONE

If you have Encryption File System (EFS) enabled you will need to move the private key if it resides on this dc (KB241201).  You use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost  NOT SURE ABOUT THIS PIECE, (does Redirecting use EFS, is this part of the CA that may have been hosed?)

If this server manages Terminal Server Licensing (TSL) then it will have to be moved to a new DC.  From Add/Remove programs you will need to add a new TSL.  You can then restore the licenses by using the TS License Manager tool with the Telephone activation mechanism. You can switch to the Telephone mechanism by right clicking on the server in TS License Manager, and then selecting properties from the menu. (TS FAQ) UNSURE??

Thanks for any suggestions, this morning I just bringing C back up and checking to see if I can get exchg happy, then I'll want to try and decom. C and finalize this. The ultimate goal is to shut down C (VM) and use it's host as a new ESX 4 host.

Thanks for any and all help.


Also, when I log in at home via VPN, I'm unable to surf the web. I can get to local intranet sites, but nothing external. If I RDP to a machine in my office, the web is fine!?! I added the new DC "N" to the VPN controller as an authentication server and that was working the authentication piece)
to move a CA to another server follow the steps as mentioned in the following KBs:
before installing a new server with the same name, make sure the old server has been decommisioned and all references in AD have been removed. For a DC that would mean either DCPROMO to demote or METADATA cleanup. In both cases you would need to delete the server object in sites and services. 



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial