Link to home
Start Free TrialLog in
Avatar of Kenan
KenanFlag for Bosnia and Herzegovina

asked on

Decomission Windows Server 2003 CA

Hello,

I have one 2003 CA server in my domain. I just installed another CA on 2008 R2 and I am planing to decomission the old CA. I will revoke old certificates and use the new CA infrastructure. No need to migrate anything. I found the following Microsoft KB:

http://support.microsoft.com/kb/889250

If I decomission the old CA this way, are there any repercutions that I should be aware of? Is this enough or are there other steps that I should do in order to make the new CA function?

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Shreedhar Ette
Shreedhar Ette
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kenan

ASKER

Thanks,

What I'm concerned is the following:



When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

These objects are the following:
certificateAuthority object
Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
Contains the CA certificate for the CA.
Published Authority Information Access (AIA) location.
crlDistributionPoint object
Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CRL periodically published by the CA.
Published CRL Distribution Point (CDP) location
certificationAuthority object
Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CA certificate for the CA.
pKIEnrollmentService object
Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Created by the enterprise CA.
Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.



Are any of these AD object shared between both CA servers?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial