?
Solved

2003 to 2008 R2 migration plan

Posted on 2010-04-09
10
Medium Priority
?
2,138 Views
Last Modified: 2012-05-09
Hello Experts

Here's my current environment

Approximately 300 Users

Single domain, 2003 functional level forest and domain

DC1 = 2003 Server, GC, CA, all FSMO roles
DC2 = 2003 Server, GC, DHCP, DNS, TS Licensing
DC3 = 2008 R2 Server Core, GC, DHCP, DNS

I want to be on a 2008 R2 domain and forest functional level and only have 2 DCs when I'm done. I've already migrated DC3 to 2008 R2. My plan from here is this:

1. Move the FSMO roles off of DC1 to DC3
2. Setup a new DC2 and migrate all of the current roles on DC2 to the new DC2
3. Decommission the old DC2
4. Move the CA from DC1 to the new DC2
5. Decommission DC1
6. Raise forest and domain functional levels

Ending up with this configuration:

2008 R2 domain and forest functional level
DC2 = 2008 R2 Server, GC, DHCP, DNS, RDS/TS Licensing, CS
DC3 = 2008 R2 Server Core, GC, DHCP, DNS, all FSMO roles

I started reading the AD CS upgrade and migration guide (link below) and came across this point on page 12:

"If a CA service was installed on a domain controller, it is a good practice to transfer the CA to a dedicated server. In this case, a domain role change would apply"
http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en

Does that mean that CA/CS should only be installed on a member server?

Reading that got me doubting my entire plan. I'm really looking for some guidance on best practices, especially for moving CA/CS.

Thanks for the advice
0
Comment
Question by:beapit
  • 5
  • 4
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 30211498
Move the CA over to the DC since you had it on the DC prior. All other steps in the plan look correct but before moving roles you should always run a dcdiag to make sure that the new server was promoted properly.
0
 
LVL 4

Expert Comment

by:AnnOminous
ID: 30212906
There are potential issues with the CA if the computer is renamed. Assuming that moving to the new computer is functionally similar, I would check this specific aspect before you attempt.

Presumably, you could always leave DC1 running as a member server with only the CA.
0
 

Author Comment

by:beapit
ID: 30227285
AnnOminous, are you saying that there will be a problem if I move the CA from DC1 to DC2 since the name will be different or that once the CA is moved to DC2, to not change the name of the server?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 4

Expert Comment

by:AnnOminous
ID: 30228814
"Domain Controllers running Microsoft's Certificate Authority services (CA) can never be renamed."
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm

Presumably, moving the CA to another DC is functionally equivalent to renaming.

For Windows 2003, take a look at:
HOWTO: Move a certificate authority to a new server running on a domain controller.
http://support.microsoft.com/kb/555012
0
 

Author Comment

by:beapit
ID: 30338674
I don't think I'm following you. You said a CA can never be renamed or moved, but here's an article on how to move one. Please let me know if I'm reading that wrong. Those two statements seem to be contradictory.

Has anyone actually moved a CA before?
0
 
LVL 4

Expert Comment

by:AnnOminous
ID: 30343102
According to the article I quoted, you CAN'T rename a DC that is also a CA.

Presumably, the proper process for moving a CA involves first demoting the DC.

In either case, the two links have the relevant details.

"Domain Controllers running Microsoft's Certificate Authority services (CA) can never be renamed."
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm

For Windows 2003, take a look at:
HOWTO: Move a certificate authority to a new server running on a domain controller.
http://support.microsoft.com/kb/555012
0
 

Author Comment

by:beapit
ID: 30574807
I think I see what you're saying now. From my original post, I should add a step before step #4 to demote DC1, then transfer the CA. Is that correct?
0
 
LVL 4

Expert Comment

by:AnnOminous
ID: 30619983
It's not that simple. You need to read the KB article.

Basically, you take a backup of the cert data, remove the CA, demote the DC, rename the system and then restore that cert data.

Two critical things happen: 1) the CA goes away, and 2) the DC goes away.

If you skip reading the article, you may also find: 3) your cert data goes away.
0
 

Author Comment

by:beapit
ID: 30651485
I have read the KB you posted. I'm definitely not going to blindly walk into this. Each one of the steps in my original post, have sub steps. I just want to make sure I'm doing things in the right order and am following Microsoft's recommended setup.

I'm not saying there is anything wrong with the KB you posted, but that KB was written by a Microsoft MVP and is not an official Microsoft KB article. It also doesn't mention moving the CA from 2003 to 2008 R2. The white paper I posted is much more complete. However, neither one addresses my original question. Should a CS/CA be installed on a member server only?

I just found the answer, the config I'm working with is not a best practice. I can only assume this didn't change in 2008 R2.

Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure) - http://technet.microsoft.com/en-us/library/cc739695%28WS.10%29.aspx

! Important
For security reasons, a CA should always run on a separate computer. Do not install an online CA on a domain controller, even if it is technically possible.
0
 
LVL 4

Accepted Solution

by:
AnnOminous earned 2000 total points
ID: 30691686
"Do not install an online CA on a domain controller, even if it is technically possible."

I have some choice words for Microsoft regarding this type of recommendation. For example, RRAS is similarily not recommended on a DC and yet the SBS version bundles RRAS with AD.

So the CA should be on a member server, but it works on a DC, pace some caveats you have already seen and a slightly larger attack surface.

As long as you are prepared for the extra items on your checklist, and possibly having to bushwhack if you go off the official path, I don't see why it should not work. My real concern was making sure that you had a sense of the complexity and not rely on a couple of sentences on EE. You seem to have that.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question