Decomission Windows Server 2003 CA


I have one 2003 CA server in my domain. I just installed another CA on 2008 R2 and I am planing to decomission the old CA. I will revoke old certificates and use the new CA infrastructure. No need to migrate anything. I found the following Microsoft KB:

If I decomission the old CA this way, are there any repercutions that I should be aware of? Is this enough or are there other steps that I should do in order to make the new CA function?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteCommented:
That one is the correct article. There should not be any problems.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KenanAuthor Commented:

What I'm concerned is the following:

When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

These objects are the following:
certificateAuthority object
Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
Contains the CA certificate for the CA.
Published Authority Information Access (AIA) location.
crlDistributionPoint object
Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CRL periodically published by the CA.
Published CRL Distribution Point (CDP) location
certificationAuthority object
Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CA certificate for the CA.
pKIEnrollmentService object
Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Created by the enterprise CA.
Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

Are any of these AD object shared between both CA servers?
Use the PKIView.msc utility. With it you can manage the AD integrations much more easier.

As i know all these objects are not shared and created from each ad integrated CA
ParanormasticCryptographic EngineerCommented:
Yes and no.  They will both populate those areas with their respective information, but removing the entries for CA1 will not affect CA2.  Don't delete the entire container or anything like that, just the entries for CA1.  To do it safest since you aren't worried about migration is to decom first then reinstall with the new CA2 - if more needs to be added it should be taken care of during the install.
Shreedhar EtteCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.