Decomission Windows Server 2003 CA

Hello,

I have one 2003 CA server in my domain. I just installed another CA on 2008 R2 and I am planing to decomission the old CA. I will revoke old certificates and use the new CA infrastructure. No need to migrate anything. I found the following Microsoft KB:

http://support.microsoft.com/kb/889250

If I decomission the old CA this way, are there any repercutions that I should be aware of? Is this enough or are there other steps that I should do in order to make the new CA function?

Thanks
LVL 3
KenanAsked:
Who is Participating?
 
Shreedhar EtteConnect With a Mentor Commented:
That one is the correct article. There should not be any problems.
0
 
KenanAuthor Commented:
Thanks,

What I'm concerned is the following:



When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

These objects are the following:
certificateAuthority object
Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
Contains the CA certificate for the CA.
Published Authority Information Access (AIA) location.
crlDistributionPoint object
Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CRL periodically published by the CA.
Published CRL Distribution Point (CDP) location
certificationAuthority object
Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CA certificate for the CA.
pKIEnrollmentService object
Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Created by the enterprise CA.
Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.



Are any of these AD object shared between both CA servers?
0
 
merowingerConnect With a Mentor Commented:
Use the PKIView.msc utility. With it you can manage the AD integrations much more easier.

As i know all these objects are not shared and created from each ad integrated CA
0
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Yes and no.  They will both populate those areas with their respective information, but removing the entries for CA1 will not affect CA2.  Don't delete the entire container or anything like that, just the entries for CA1.  To do it safest since you aren't worried about migration is to decom first then reinstall with the new CA2 - if more needs to be added it should be taken care of during the install.
0
 
Shreedhar EtteConnect With a Mentor Commented:
0
All Courses

From novice to tech pro — start learning today.