Windows Server 2003 : migrate domain certification authority to new server with different name

AltaSens used Ask the Experts™
I have a Windows Server 2003 DC that holds the domain root certification authority role.  I need to move this role to a new server and because of some issues within our organization, I am required to change the server name.  I have read a number of articles on the matter and all of them provide guidance when the server name stays the same.

Can someone provide some direction on how to move the CA to a new server with a different name?  In this case, the new server will be running Windows Server 2008R2.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Here you go:

1.Start the Microsoft Management Console (MMC) Certificate Authority snap-in on the existing CA.
2.Right-click the domain name at the root and select Back up CA from the All Tasks menu.
3.Click Next at the welcome page of the Backup CA Wizard.
4.Select the option to back up both the "Private key and CA certificate" and "Certificate database and certificate database log". Enter the name of an empty folder to which to back up the items.
5.Enter a password that will be used to secure the backup and click Next.
6.Click Finish to begin the backup.
7.Start the registry editor (regedit.exe).
8.Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.
9.Right-click the CA domain subkey and select Export from the context menu. Enter a name for the registry backup file and click Save.
10.Now remove Certificate Services from the server. To do so, select Add or Remove Programs from the Control Panel, click Add/Remove Windows Components. Clear the Certificate Services check box and click Next. You can now use dcpromo to demote the existing server so it's no longer a DC (if you are planning to remove this as a DC; otherwise you'll just need to rename it later).
On the new target server, perform the following steps:
1.If you are replacing a DC and wish it to have the same name as the previous one, you should rename it before installing the Certificate Services.
2.Add the Certificate Services component (Select Add or Remove Programs from the Control Panel, click Add/Remove Windows Components. Select Certificate Services and click Next)
3.Select the type of CA that the new CA is replacing (e.g., Enterprise CA), select the check box for "Use custom settings to generate the key pair and CA certificate" and click Next
4.For the Public and Private Key Pair, select "Use an existing key" and click Import.
5.Select the name of the .p12 file you created as part of the backup of the original server and enter the password you set and click OK.
6.The window displays the selected key. Click Next to the main Public and Private Key Pair screen.
7.Click Next to all remaining dialogs until installation is complete
8.Stop the Certificate Services.
9.Import the registry backup taken from the original server. You may wish to open the registry file and modify the CAServerName entry to this new server's name if you are not intending to rename it after. Double-click the .reg file and click Yes to the confirmation to add the information. Click OK to the read confirmation.
10.Start the Certificate Authority MMC snap-in.
11.Right-click the CA domain and select Restore CA from the All Tasks context menu.
12.Click Next to the welcome dialog.
13.Select the checkboxes for the certificate and log restore and enter the location of the backup taken from the original server. Click Next.
14.Enter the password again that was used to secure the backup and click Next.
15.Click Finish to the dialog box confirming the actions that will be taken.
16.Click Yes to start the Certificate Services. The Certificates should now be running on the new server


I am just now looking at the current Root CA and the only certificates I see anywhere on this CA are Issued certs that expired in 2007.

Upon further reading, I found some guidance documentation which states that Active Directory Certificate Services is not necessary for an Active Directory infrastructure and given that this Root CA doesn't seem to be doing anything, can this just simply be removed?

** Given that we aren't using an internal CA for our web/email certificates (we use godaddy), is there any other requirement to have a CA within our environment?  Could removing this cause any issues with server-server or server-PC communications?

THANKS again for all of the help here!


Well, you just answered the part of the puzzle.However, just ensure you do not have a 2-tier or 3-tier CA setup. As you mentioned that this is the ROOT CA, with issued certs all expired in 2007 I do not see a problem removing it. Having said, make sure that this is the Root CA and nothing above or below it in hierarchy (Enterprise or standalone). Turn off any Autoenrollment policies that leaves room for automatically enrolling new certificates.

Go-daddy is a frequently used SSL certs for email signing and encryption. MS PKI provides another free but self managed alternative, with other major usages, based on EKUs. But, if you do not have use for it means you dont need it. It definetely adds to the security but require more planning than implementation (70:30)

But as you said, you dont use it means you dont need it!

ParanormasticCryptographic Engineer
If decommissioned properly you should be fine.  here is the guide to follow:

If you don't need it then you don't need it.  If you filtered the results for issued certificates for expiring after today and no results are returned, then you should be safe to get rid of it.


thanks for all of the help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial