Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 550
  • Last Modified:

Make new 2003 server the cert SOA for domain

My old Primary Domain server died. I had warning, so I was able to transfer all services and FSMO roles to my new 64 bit server. The only thing that did not transfer was the Trusted Root SOA for my domain.

I need to make my current DC (now a "Subordinate Certification Authority") the primary authority. I need to do this right away since I do not have good certs at present since the SOA is gone.

Please Help!
0
HilltownHealthCenter
Asked:
HilltownHealthCenter
  • 25
  • 7
  • 2
1 Solution
 
HilltownHealthCenterAuthor Commented:
The dead machine's CA had a self-signed cert for its SOA. I would like to do the same with the new(currently "Subordinate") CA
0
 
HilltownHealthCenterAuthor Commented:
I need some help here. Lte me know if there is anything I can post from my Certification Authority on either the old or new PDC that will help.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Do you have a CA backup from your old (broken) server?

Regards,
Krzysztof
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
HilltownHealthCenterAuthor Commented:
I have a backup from the old 32 bit server, but there is no way to use it on the new machine (64 bit)

from       http://support.microsoft.com/kb/298138 :

Database format changes from the 32-bit version to the 64-bit version cause incompatibilities, and the restore is blocked. This is similar to the move from Windows 2000 to the Windows Server 2003 CA. However, there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, this is a big problem. You cannot restore the original CA server with its certificates. When your sub-CA certificate will expire you won't be able to extend its validity period. Unfortunately you have to set up completely new CA and issue those new certificates to all clients.

Regards,
Krzysztof
0
 
HilltownHealthCenterAuthor Commented:
At this point, here is the status of the situation:

I have revived the old CA and expect it to hold until I can resolve this.
I have removed Certificate Services from the new server (it had issued no certs).
The old CA has only issued certificates to the 3 DCs and one individual (image attached).

What will I have to do (now I need detail!) to to set up the new DC to take over?
certs-issued.JPG
0
 
TasmantCommented:
Review this document : http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
You have all the information to migrate from x86 2003 server to x64 2008 server.
0
 
HilltownHealthCenterAuthor Commented:
Sorry, I have x64 2003 server, not 2008 server.
0
 
HilltownHealthCenterAuthor Commented:
PLEASE NOTE NEW SITUATION ON THIS QUESTION:

I have one x32 2003 server with Certificate Services installed (SERVER01)
I have one x64 2003 server (no Cert Services currently installed)

I cannot copy the cert database, I need to manually configure the new server to take over from the old, I need good instructions on how to do this so as not to break the trust between my servers.

The issued certs are imaged above.
0
 
TasmantCommented:
You cannot do this operation : http://support.microsoft.com/kb/298138/en-us
Database format change between x86 and x64 and it doesn't exist any upgrade path from x86 to x64.

The best way to achieve is your goal is to follow my previous comment : Migrate from 2003 x86 to 2008 R2 x64, which is a supported migration path.
http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx

0
 
HilltownHealthCenterAuthor Commented:
We do not have 2008 server licensed. This is not a viable solution.

What I need is instructions for setting up a new certification 2003 server so that the certs already issued to my 3 existing DCs will not be interrupted, or if that is impossible, instructions as to how to deploy the new server with minimal disruption to the domain.

Let's approach this as if the old server had died, with no cert backup on hand. I am now trying to get a new server in place with minimum disruption. Given that the old server had issued 3 important certs, how do I proceed?
0
 
HilltownHealthCenterAuthor Commented:
BTW: I already knew, and had already noted earlier above that x32 -> x64 is not an available path.
0
 
HilltownHealthCenterAuthor Commented:
To iSiek: You noted above "Unfortunately you have to set up completely new CA and issue those new certificates to all clients."

Please tell me how to go about that.

Thank you.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Your actual DC is Windows 2003 64-bit and you can set up CA there, right? Could you tell me please also, what edition it is (Standard or Enterprise)?
I will prep a doc for you. Step-by-Step :)
Give me a little bit time, please :)

Regards,
Krzysztof
0
 
HilltownHealthCenterAuthor Commented:
Yes on setting up the new CA on x64 bit 2003 server. (Standard version)
0
 
HilltownHealthCenterAuthor Commented:
To Krzysztof: My current understanding is:

I  am waiting for you to compile a list of steps  to set up my new x64 w2k3 Std. server with self-signed root CA and to register the other DCs (currently registered on the old x32 CA) on this new server. Is this correct?

Thank you,
Asaph
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes you're right :)
I will try to complete this doc until tomorrow (new born baby, so less time for my tasks ;))

Regards,
Krzysztof
0
 
HilltownHealthCenterAuthor Commented:
This is important to me, but not urgent, so please do it at your convenience. Thanks for the response.

Asaph
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi Asaph,

once again, I'm sorry for long delay :/

So, first of all you need to do system state backup on your 64 bit 2003 DC (i.e. using NTBACKUP utility). That's for security reason :)

Now, uninstall your Sub-CA from that server (because there is no Root CA for it). After Sub-CA uninstallation and cleanup process you can follow my attached guide.

Try this guide for one DC for tests. Change a certificate on one DC and check if it works. Then follow with next DCs.

In any case of other questions, do not hesitate to contact me.

Regards,
Krzysztof
CA-cert-for-DC.pdf
0
 
HilltownHealthCenterAuthor Commented:
This looks excellent. What a lot of work you did!
One question:

Currently the DCs point their certs to the old server,which has a self-signed cert as root.

Do I need to delete these certs from the DCs when the new certs are installed to the new CA?
0
 
HilltownHealthCenterAuthor Commented:
Sorry, here's a related question:

At what point do I uninstall the root CA from the old PDC?
0
 
HilltownHealthCenterAuthor Commented:
I installed  IIS on the old CA, and tested it. The default IIS page does appear with " http://myserver01/".
 However " http://myserver01/certsrv/"   comes up "Page not Found".


0
 
HilltownHealthCenterAuthor Commented:
It looks like the web page /certsrv is only installed if CA installed after IIS. I found one blog that said uninstalling and re-installing CA fixes this, but can I do that without losing my current certificates?
0
 
HilltownHealthCenterAuthor Commented:
OK, I finished the instructions:

 I  got cert requests for each server (starting with the CA requesting to itself). I issued them on the new CA, then found them in the CA "issued certs" folder.
I saved the details of each new cert to a .p7b file, and installed each .p7b on its appropriate machine. These operations appeared to have completed successfully.

So 3 things:

1) I can't find the new certificates on the servers themselves using the Certificates snap-in. They do not appear under the Personal certificates folder, and I can' t figure out where they are.

2) Did requesting a cert for the new CA from itself, and then issuing the requested cert (which shows up in the trusted root folder), create a "self-signed" cert? The old CA had a "client certificate" which pointed back at itself. The new CA does not.

3) How can I confirm that all is well?

0
 
HilltownHealthCenterAuthor Commented:
I now am finding periodic Event ID 20 :

"The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data."

Something did not go properly. Did I (or do I need to) install a self-signed cert for the new CA?

0
 
HilltownHealthCenterAuthor Commented:
I am posting the output of certutil -dcinfo:

c:\>certutil -dcinfo
0: SERVER01
1: SERVER02
2: SERVER64

*** Testing DC[0]: SERVER01
** Enterprise Root Certificates for DC SERVER01
Certificate 0:
Serial Number: 364a316afd9fd0ab44fcf56744132212
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): c6 6d b2 21 ae ef 19 80 7b f6 85 32 d0 d3 d6 37 04 5b 05 bd

Certificate 1:
Serial Number: 5c117d49360bc7b74350a51b9b16c1fe
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): b6 d2 94 e6 48 a9 33 0c d3 88 7f 15 45 f9 75 a6 9a 62 bd a1

Certificate 2:
Serial Number: 40ec9eaa44aa96a94f29d15aefc8df14
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 4f b6 b8 7f 74 af dc 93 90 38 e7 1e 6e a2 05 8e 91 97 08 61

Certificate 3:
Serial Number: 14fbd20bb03b62b742b4bf725837cb38
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 3f 7e 09 db 28 dd b3 ba a7 aa 3d 9d ec ed 15 e7 e6 ef 74 bf

Certificate 4:
Serial Number: 4a099d60d6a98e9a42c83d9061282891
Issuer: CN=server01, DC=Hilltown, DC=Local
Subject: CN=server01, DC=Hilltown, DC=Local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 21 f9 9c ba 27 99 80 44 24 c0 8a 99 d6 ef da 39 1b 56 78 37

** KDC Certificates for DC SERVER01
0 KDC certs for SERVER01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

*** Testing DC[1]: SERVER02
** Enterprise Root Certificates for DC SERVER02
Certificate 0:
Serial Number: 364a316afd9fd0ab44fcf56744132212
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): c6 6d b2 21 ae ef 19 80 7b f6 85 32 d0 d3 d6 37 04 5b 05 bd

Certificate 1:
Serial Number: 5c117d49360bc7b74350a51b9b16c1fe
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): b6 d2 94 e6 48 a9 33 0c d3 88 7f 15 45 f9 75 a6 9a 62 bd a1

Certificate 2:
Serial Number: 40ec9eaa44aa96a94f29d15aefc8df14
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 4f b6 b8 7f 74 af dc 93 90 38 e7 1e 6e a2 05 8e 91 97 08 61

Certificate 3:
Serial Number: 14fbd20bb03b62b742b4bf725837cb38
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 3f 7e 09 db 28 dd b3 ba a7 aa 3d 9d ec ed 15 e7 e6 ef 74 bf

Certificate 4:
Serial Number: 4a099d60d6a98e9a42c83d9061282891
Issuer: CN=server01, DC=Hilltown, DC=Local
Subject: CN=server01, DC=Hilltown, DC=Local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 21 f9 9c ba 27 99 80 44 24 c0 8a 99 d6 ef da 39 1b 56 78 37

** KDC Certificates for DC SERVER02
0 KDC certs for SERVER02
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

*** Testing DC[2]: SERVER64
** Enterprise Root Certificates for DC SERVER64
Certificate 0:
Serial Number: 364a316afd9fd0ab44fcf56744132212
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): c6 6d b2 21 ae ef 19 80 7b f6 85 32 d0 d3 d6 37 04 5b 05 bd

Certificate 1:
Serial Number: 5c117d49360bc7b74350a51b9b16c1fe
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): b6 d2 94 e6 48 a9 33 0c d3 88 7f 15 45 f9 75 a6 9a 62 bd a1

Certificate 2:
Serial Number: 40ec9eaa44aa96a94f29d15aefc8df14
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 4f b6 b8 7f 74 af dc 93 90 38 e7 1e 6e a2 05 8e 91 97 08 61

Certificate 3:
Serial Number: 14fbd20bb03b62b742b4bf725837cb38
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 3f 7e 09 db 28 dd b3 ba a7 aa 3d 9d ec ed 15 e7 e6 ef 74 bf

Certificate 4:
Serial Number: 4a099d60d6a98e9a42c83d9061282891
Issuer: CN=server01, DC=Hilltown, DC=Local
Subject: CN=server01, DC=Hilltown, DC=Local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 21 f9 9c ba 27 99 80 44 24 c0 8a 99 d6 ef da 39 1b 56 78 37

** KDC Certificates for DC SERVER64
0 KDC certs for SERVER64
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.

c:\>
0
 
HilltownHealthCenterAuthor Commented:
NOTE:
SERVER01 is the retired CA.
SERVER64 is the new CA.
SERVER02 is the DC for our 2nd site.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi Asaph,

I've read all your post already and I'm analyzing them to post answers. I will try to post them until the end of this day.

Thank you for your understanding in advance :)

Regards,
Krzysztof
0
 
HilltownHealthCenterAuthor Commented:
Krzysztof,

Thanks for being willing to continue. Please hold off, since the situation has changed, and the info sent earlier is obsolete. I will post new info shortly.

Asaph
0
 
HilltownHealthCenterAuthor Commented:
The current situation is this: I am able to authenticate my secure wireless, so in some fashion, the new CA is working. It has the following issues:

I was forced to set up CA Enterprise (possible under W2k3 Std) because the wireless Radius clients use auto-enrollment, as I understand it.

I show that I have issued certs to SERVER02, but when I install the .p7b file on SERVER02, it say "installed", but cannot be found in the store.

I am attaching the output of "certutil -dcinfo" for:
SERVER64
SERVER02
SERVER01
EXCHANGE01

I hope this give the needed clues. Please tell me if I can send any more diagnostic output. SERVER01-dcinfo.txt SERVER02-dcinfo.txt SERVER02-dcinfo.txt SERVER64-dcinfo.txt SERVER64-dcinfo.txt SERVER02-dcinfo.txt SERVER64-dcinfo.txt EXCHANGE01.txt
0
 
HilltownHealthCenterAuthor Commented:
I'm sorry, it looks like I added multiple copies. They are identical by name.
0
 
HilltownHealthCenterAuthor Commented:
It seems that I need to resolve the question of installing the stand-alone CA or the Enterprise CA. After I configured the stand-alone CA with your instructions (which went exactly as you explained), I started getting IAS errors as below, with users saying that they could not connect.

Event 20190: Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user hilltown\dmorrier. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

Error 20168: Could not retrieve the Remote Access Server's certificate due to the  following error: Cannot find object or property.

Event 3: Access request for user dmorrier was discarded.
 Fully-Qualified-User-Name = Hilltown.Local/Staff/David Morrier
 NAS-IP-Address = 172.20.1.247
 NAS-Identifier = WLC2106-01
 Called-Station-Identifier = 00-26-99-b9-1c-90:hchc-secure
 Calling-Station-Identifier = 60-fb-42-44-d1-9e
 Client-Friendly-Name = WLC2106-01
 Client-IP-Address = 172.20.1.247
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Reason-Code = 23
 Reason = Unexpected error. Possible error in server or client configuration.

--------
I then uninstalled the stand-alone CA and reinstalled Enterprise CA. At this point, the IAS errors stopped, and authentication started working.

The problem is that I cannot get the templates I need to certify my other DCs. I am going to post a second question about which templates drop down in the CertSrv web tool, but would like to know for sure that Enterprise CA was not a mistake before I proceed. You had said that Enterprise CA would not install on W2K3 STD, but the check-box was there and it accepted the check.
0
 
HilltownHealthCenterAuthor Commented:
Hi Krzysztof,

I am signing off on this, because the solution you offered was excellent, even though it did not work for me. I don't think it is fair to hold you up because of our unusually complex system. I opened another question around getting the cert templates I need to show up in CertSrv. Feel free to offer a solution to this if you have one. For now I am continuing with Enterprise, although it is not working as it should. I may end up going back to stand-alone, if I can resolve the wireless issues.

If you have any more insight about stand-alone CA vs. Enterprise CA in a secure WAP+WAP2 Radius/AD authenticated wireless setup, please share.

Thank you,
Asaph
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi Asaph,

thank you :) I would like to say sorry, that you had to wait so long for my posts :/ (tough days)

Wish you luck

Regards,
Krzysztof
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 25
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now