2003 to 2008 R2 migration plan

Hello Experts

Here's my current environment

Approximately 300 Users

Single domain, 2003 functional level forest and domain

DC1 = 2003 Server, GC, CA, all FSMO roles
DC2 = 2003 Server, GC, DHCP, DNS, TS Licensing
DC3 = 2008 R2 Server Core, GC, DHCP, DNS

I want to be on a 2008 R2 domain and forest functional level and only have 2 DCs when I'm done. I've already migrated DC3 to 2008 R2. My plan from here is this:

1. Move the FSMO roles off of DC1 to DC3
2. Setup a new DC2 and migrate all of the current roles on DC2 to the new DC2
3. Decommission the old DC2
4. Move the CA from DC1 to the new DC2
5. Decommission DC1
6. Raise forest and domain functional levels

Ending up with this configuration:

2008 R2 domain and forest functional level
DC2 = 2008 R2 Server, GC, DHCP, DNS, RDS/TS Licensing, CS
DC3 = 2008 R2 Server Core, GC, DHCP, DNS, all FSMO roles

I started reading the AD CS upgrade and migration guide (link below) and came across this point on page 12:

"If a CA service was installed on a domain controller, it is a good practice to transfer the CA to a dedicated server. In this case, a domain role change would apply"
http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en

Does that mean that CA/CS should only be installed on a member server?

Reading that got me doubting my entire plan. I'm really looking for some guidance on best practices, especially for moving CA/CS.

Thanks for the advice
beapitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Move the CA over to the DC since you had it on the DC prior. All other steps in the plan look correct but before moving roles you should always run a dcdiag to make sure that the new server was promoted properly.
0
AnnOminousCommented:
There are potential issues with the CA if the computer is renamed. Assuming that moving to the new computer is functionally similar, I would check this specific aspect before you attempt.

Presumably, you could always leave DC1 running as a member server with only the CA.
0
beapitAuthor Commented:
AnnOminous, are you saying that there will be a problem if I move the CA from DC1 to DC2 since the name will be different or that once the CA is moved to DC2, to not change the name of the server?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

AnnOminousCommented:
"Domain Controllers running Microsoft's Certificate Authority services (CA) can never be renamed."
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm

Presumably, moving the CA to another DC is functionally equivalent to renaming.

For Windows 2003, take a look at:
HOWTO: Move a certificate authority to a new server running on a domain controller.
http://support.microsoft.com/kb/555012
0
beapitAuthor Commented:
I don't think I'm following you. You said a CA can never be renamed or moved, but here's an article on how to move one. Please let me know if I'm reading that wrong. Those two statements seem to be contradictory.

Has anyone actually moved a CA before?
0
AnnOminousCommented:
According to the article I quoted, you CAN'T rename a DC that is also a CA.

Presumably, the proper process for moving a CA involves first demoting the DC.

In either case, the two links have the relevant details.

"Domain Controllers running Microsoft's Certificate Authority services (CA) can never be renamed."
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm

For Windows 2003, take a look at:
HOWTO: Move a certificate authority to a new server running on a domain controller.
http://support.microsoft.com/kb/555012
0
beapitAuthor Commented:
I think I see what you're saying now. From my original post, I should add a step before step #4 to demote DC1, then transfer the CA. Is that correct?
0
AnnOminousCommented:
It's not that simple. You need to read the KB article.

Basically, you take a backup of the cert data, remove the CA, demote the DC, rename the system and then restore that cert data.

Two critical things happen: 1) the CA goes away, and 2) the DC goes away.

If you skip reading the article, you may also find: 3) your cert data goes away.
0
beapitAuthor Commented:
I have read the KB you posted. I'm definitely not going to blindly walk into this. Each one of the steps in my original post, have sub steps. I just want to make sure I'm doing things in the right order and am following Microsoft's recommended setup.

I'm not saying there is anything wrong with the KB you posted, but that KB was written by a Microsoft MVP and is not an official Microsoft KB article. It also doesn't mention moving the CA from 2003 to 2008 R2. The white paper I posted is much more complete. However, neither one addresses my original question. Should a CS/CA be installed on a member server only?

I just found the answer, the config I'm working with is not a best practice. I can only assume this didn't change in 2008 R2.

Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure) - http://technet.microsoft.com/en-us/library/cc739695%28WS.10%29.aspx

! Important
For security reasons, a CA should always run on a separate computer. Do not install an online CA on a domain controller, even if it is technically possible.
0
AnnOminousCommented:
"Do not install an online CA on a domain controller, even if it is technically possible."

I have some choice words for Microsoft regarding this type of recommendation. For example, RRAS is similarily not recommended on a DC and yet the SBS version bundles RRAS with AD.

So the CA should be on a member server, but it works on a DC, pace some caveats you have already seen and a slightly larger attack surface.

As long as you are prepared for the extra items on your checklist, and possibly having to bushwhack if you go off the official path, I don't see why it should not work. My real concern was making sure that you had a sense of the complexity and not rely on a couple of sentences on EE. You seem to have that.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.