Solved

Make new 2003 server the cert SOA for domain

Posted on 2010-11-09
34
537 Views
Last Modified: 2013-12-04
My old Primary Domain server died. I had warning, so I was able to transfer all services and FSMO roles to my new 64 bit server. The only thing that did not transfer was the Trusted Root SOA for my domain.

I need to make my current DC (now a "Subordinate Certification Authority") the primary authority. I need to do this right away since I do not have good certs at present since the SOA is gone.

Please Help!
0
Comment
Question by:HilltownHealthCenter
  • 25
  • 7
  • 2
34 Comments
 

Author Comment

by:HilltownHealthCenter
ID: 34096307
The dead machine's CA had a self-signed cert for its SOA. I would like to do the same with the new(currently "Subordinate") CA
0
 

Author Comment

by:HilltownHealthCenter
ID: 34101943
I need some help here. Lte me know if there is anything I can post from my Certification Authority on either the old or new PDC that will help.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34104854
Do you have a CA backup from your old (broken) server?

Regards,
Krzysztof
0
 

Author Comment

by:HilltownHealthCenter
ID: 34104998
I have a backup from the old 32 bit server, but there is no way to use it on the new machine (64 bit)

from       http://support.microsoft.com/kb/298138 :

Database format changes from the 32-bit version to the 64-bit version cause incompatibilities, and the restore is blocked. This is similar to the move from Windows 2000 to the Windows Server 2003 CA. However, there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34105256
So, this is a big problem. You cannot restore the original CA server with its certificates. When your sub-CA certificate will expire you won't be able to extend its validity period. Unfortunately you have to set up completely new CA and issue those new certificates to all clients.

Regards,
Krzysztof
0
 

Author Comment

by:HilltownHealthCenter
ID: 34112612
At this point, here is the status of the situation:

I have revived the old CA and expect it to hold until I can resolve this.
I have removed Certificate Services from the new server (it had issued no certs).
The old CA has only issued certificates to the 3 DCs and one individual (image attached).

What will I have to do (now I need detail!) to to set up the new DC to take over?
certs-issued.JPG
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 34112707
Review this document : http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
You have all the information to migrate from x86 2003 server to x64 2008 server.
0
 

Author Comment

by:HilltownHealthCenter
ID: 34113690
Sorry, I have x64 2003 server, not 2008 server.
0
 

Author Comment

by:HilltownHealthCenter
ID: 34115715
PLEASE NOTE NEW SITUATION ON THIS QUESTION:

I have one x32 2003 server with Certificate Services installed (SERVER01)
I have one x64 2003 server (no Cert Services currently installed)

I cannot copy the cert database, I need to manually configure the new server to take over from the old, I need good instructions on how to do this so as not to break the trust between my servers.

The issued certs are imaged above.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 34119245
You cannot do this operation : http://support.microsoft.com/kb/298138/en-us
Database format change between x86 and x64 and it doesn't exist any upgrade path from x86 to x64.

The best way to achieve is your goal is to follow my previous comment : Migrate from 2003 x86 to 2008 R2 x64, which is a supported migration path.
http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx

0
 

Author Comment

by:HilltownHealthCenter
ID: 34145799
We do not have 2008 server licensed. This is not a viable solution.

What I need is instructions for setting up a new certification 2003 server so that the certs already issued to my 3 existing DCs will not be interrupted, or if that is impossible, instructions as to how to deploy the new server with minimal disruption to the domain.

Let's approach this as if the old server had died, with no cert backup on hand. I am now trying to get a new server in place with minimum disruption. Given that the old server had issued 3 important certs, how do I proceed?
0
 

Author Comment

by:HilltownHealthCenter
ID: 34145831
BTW: I already knew, and had already noted earlier above that x32 -> x64 is not an available path.
0
 

Author Comment

by:HilltownHealthCenter
ID: 34145854
To iSiek: You noted above "Unfortunately you have to set up completely new CA and issue those new certificates to all clients."

Please tell me how to go about that.

Thank you.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34147249
Your actual DC is Windows 2003 64-bit and you can set up CA there, right? Could you tell me please also, what edition it is (Standard or Enterprise)?
I will prep a doc for you. Step-by-Step :)
Give me a little bit time, please :)

Regards,
Krzysztof
0
 

Author Comment

by:HilltownHealthCenter
ID: 34147664
Yes on setting up the new CA on x64 bit 2003 server. (Standard version)
0
 

Author Comment

by:HilltownHealthCenter
ID: 34155296
To Krzysztof: My current understanding is:

I  am waiting for you to compile a list of steps  to set up my new x64 w2k3 Std. server with self-signed root CA and to register the other DCs (currently registered on the old x32 CA) on this new server. Is this correct?

Thank you,
Asaph
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34155872
Yes you're right :)
I will try to complete this doc until tomorrow (new born baby, so less time for my tasks ;))

Regards,
Krzysztof
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:HilltownHealthCenter
ID: 34156013
This is important to me, but not urgent, so please do it at your convenience. Thanks for the response.

Asaph
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 34191779
Hi Asaph,

once again, I'm sorry for long delay :/

So, first of all you need to do system state backup on your 64 bit 2003 DC (i.e. using NTBACKUP utility). That's for security reason :)

Now, uninstall your Sub-CA from that server (because there is no Root CA for it). After Sub-CA uninstallation and cleanup process you can follow my attached guide.

Try this guide for one DC for tests. Change a certificate on one DC and check if it works. Then follow with next DCs.

In any case of other questions, do not hesitate to contact me.

Regards,
Krzysztof
CA-cert-for-DC.pdf
0
 

Author Comment

by:HilltownHealthCenter
ID: 34206044
This looks excellent. What a lot of work you did!
One question:

Currently the DCs point their certs to the old server,which has a self-signed cert as root.

Do I need to delete these certs from the DCs when the new certs are installed to the new CA?
0
 

Author Comment

by:HilltownHealthCenter
ID: 34206219
Sorry, here's a related question:

At what point do I uninstall the root CA from the old PDC?
0
 

Author Comment

by:HilltownHealthCenter
ID: 34207485
I installed  IIS on the old CA, and tested it. The default IIS page does appear with " http://myserver01/".
 However " http://myserver01/certsrv/"   comes up "Page not Found".


0
 

Author Comment

by:HilltownHealthCenter
ID: 34207781
It looks like the web page /certsrv is only installed if CA installed after IIS. I found one blog that said uninstalling and re-installing CA fixes this, but can I do that without losing my current certificates?
0
 

Author Comment

by:HilltownHealthCenter
ID: 34209111
OK, I finished the instructions:

 I  got cert requests for each server (starting with the CA requesting to itself). I issued them on the new CA, then found them in the CA "issued certs" folder.
I saved the details of each new cert to a .p7b file, and installed each .p7b on its appropriate machine. These operations appeared to have completed successfully.

So 3 things:

1) I can't find the new certificates on the servers themselves using the Certificates snap-in. They do not appear under the Personal certificates folder, and I can' t figure out where they are.

2) Did requesting a cert for the new CA from itself, and then issuing the requested cert (which shows up in the trusted root folder), create a "self-signed" cert? The old CA had a "client certificate" which pointed back at itself. The new CA does not.

3) How can I confirm that all is well?

0
 

Author Comment

by:HilltownHealthCenter
ID: 34218617
I now am finding periodic Event ID 20 :

"The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data."

Something did not go properly. Did I (or do I need to) install a self-signed cert for the new CA?

0
 

Author Comment

by:HilltownHealthCenter
ID: 34218869
I am posting the output of certutil -dcinfo:

c:\>certutil -dcinfo
0: SERVER01
1: SERVER02
2: SERVER64

*** Testing DC[0]: SERVER01
** Enterprise Root Certificates for DC SERVER01
Certificate 0:
Serial Number: 364a316afd9fd0ab44fcf56744132212
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): c6 6d b2 21 ae ef 19 80 7b f6 85 32 d0 d3 d6 37 04 5b 05 bd

Certificate 1:
Serial Number: 5c117d49360bc7b74350a51b9b16c1fe
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): b6 d2 94 e6 48 a9 33 0c d3 88 7f 15 45 f9 75 a6 9a 62 bd a1

Certificate 2:
Serial Number: 40ec9eaa44aa96a94f29d15aefc8df14
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 4f b6 b8 7f 74 af dc 93 90 38 e7 1e 6e a2 05 8e 91 97 08 61

Certificate 3:
Serial Number: 14fbd20bb03b62b742b4bf725837cb38
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 3f 7e 09 db 28 dd b3 ba a7 aa 3d 9d ec ed 15 e7 e6 ef 74 bf

Certificate 4:
Serial Number: 4a099d60d6a98e9a42c83d9061282891
Issuer: CN=server01, DC=Hilltown, DC=Local
Subject: CN=server01, DC=Hilltown, DC=Local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 21 f9 9c ba 27 99 80 44 24 c0 8a 99 d6 ef da 39 1b 56 78 37

** KDC Certificates for DC SERVER01
0 KDC certs for SERVER01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

*** Testing DC[1]: SERVER02
** Enterprise Root Certificates for DC SERVER02
Certificate 0:
Serial Number: 364a316afd9fd0ab44fcf56744132212
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): c6 6d b2 21 ae ef 19 80 7b f6 85 32 d0 d3 d6 37 04 5b 05 bd

Certificate 1:
Serial Number: 5c117d49360bc7b74350a51b9b16c1fe
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): b6 d2 94 e6 48 a9 33 0c d3 88 7f 15 45 f9 75 a6 9a 62 bd a1

Certificate 2:
Serial Number: 40ec9eaa44aa96a94f29d15aefc8df14
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 4f b6 b8 7f 74 af dc 93 90 38 e7 1e 6e a2 05 8e 91 97 08 61

Certificate 3:
Serial Number: 14fbd20bb03b62b742b4bf725837cb38
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 3f 7e 09 db 28 dd b3 ba a7 aa 3d 9d ec ed 15 e7 e6 ef 74 bf

Certificate 4:
Serial Number: 4a099d60d6a98e9a42c83d9061282891
Issuer: CN=server01, DC=Hilltown, DC=Local
Subject: CN=server01, DC=Hilltown, DC=Local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 21 f9 9c ba 27 99 80 44 24 c0 8a 99 d6 ef da 39 1b 56 78 37

** KDC Certificates for DC SERVER02
0 KDC certs for SERVER02
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

*** Testing DC[2]: SERVER64
** Enterprise Root Certificates for DC SERVER64
Certificate 0:
Serial Number: 364a316afd9fd0ab44fcf56744132212
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): c6 6d b2 21 ae ef 19 80 7b f6 85 32 d0 d3 d6 37 04 5b 05 bd

Certificate 1:
Serial Number: 5c117d49360bc7b74350a51b9b16c1fe
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): b6 d2 94 e6 48 a9 33 0c d3 88 7f 15 45 f9 75 a6 9a 62 bd a1

Certificate 2:
Serial Number: 40ec9eaa44aa96a94f29d15aefc8df14
Issuer: CN=Server01, DC=Hilltown, DC=Local
Subject: CN=Server01, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 4f b6 b8 7f 74 af dc 93 90 38 e7 1e 6e a2 05 8e 91 97 08 61

Certificate 3:
Serial Number: 14fbd20bb03b62b742b4bf725837cb38
Issuer: CN=Server64, DC=Hilltown, DC=Local
Subject: CN=Server64, DC=Hilltown, DC=Local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 3f 7e 09 db 28 dd b3 ba a7 aa 3d 9d ec ed 15 e7 e6 ef 74 bf

Certificate 4:
Serial Number: 4a099d60d6a98e9a42c83d9061282891
Issuer: CN=server01, DC=Hilltown, DC=Local
Subject: CN=server01, DC=Hilltown, DC=Local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 21 f9 9c ba 27 99 80 44 24 c0 8a 99 d6 ef da 39 1b 56 78 37

** KDC Certificates for DC SERVER64
0 KDC certs for SERVER64
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.

c:\>
0
 

Author Comment

by:HilltownHealthCenter
ID: 34218881
NOTE:
SERVER01 is the retired CA.
SERVER64 is the new CA.
SERVER02 is the DC for our 2nd site.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34221434
Hi Asaph,

I've read all your post already and I'm analyzing them to post answers. I will try to post them until the end of this day.

Thank you for your understanding in advance :)

Regards,
Krzysztof
0
 

Author Comment

by:HilltownHealthCenter
ID: 34221973
Krzysztof,

Thanks for being willing to continue. Please hold off, since the situation has changed, and the info sent earlier is obsolete. I will post new info shortly.

Asaph
0
 

Author Comment

by:HilltownHealthCenter
ID: 34222139
The current situation is this: I am able to authenticate my secure wireless, so in some fashion, the new CA is working. It has the following issues:

I was forced to set up CA Enterprise (possible under W2k3 Std) because the wireless Radius clients use auto-enrollment, as I understand it.

I show that I have issued certs to SERVER02, but when I install the .p7b file on SERVER02, it say "installed", but cannot be found in the store.

I am attaching the output of "certutil -dcinfo" for:
SERVER64
SERVER02
SERVER01
EXCHANGE01

I hope this give the needed clues. Please tell me if I can send any more diagnostic output. SERVER01-dcinfo.txt SERVER02-dcinfo.txt SERVER02-dcinfo.txt SERVER64-dcinfo.txt SERVER64-dcinfo.txt SERVER02-dcinfo.txt SERVER64-dcinfo.txt EXCHANGE01.txt
0
 

Author Comment

by:HilltownHealthCenter
ID: 34222148
I'm sorry, it looks like I added multiple copies. They are identical by name.
0
 

Author Comment

by:HilltownHealthCenter
ID: 34227452
It seems that I need to resolve the question of installing the stand-alone CA or the Enterprise CA. After I configured the stand-alone CA with your instructions (which went exactly as you explained), I started getting IAS errors as below, with users saying that they could not connect.

Event 20190: Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user hilltown\dmorrier. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

Error 20168: Could not retrieve the Remote Access Server's certificate due to the  following error: Cannot find object or property.

Event 3: Access request for user dmorrier was discarded.
 Fully-Qualified-User-Name = Hilltown.Local/Staff/David Morrier
 NAS-IP-Address = 172.20.1.247
 NAS-Identifier = WLC2106-01
 Called-Station-Identifier = 00-26-99-b9-1c-90:hchc-secure
 Calling-Station-Identifier = 60-fb-42-44-d1-9e
 Client-Friendly-Name = WLC2106-01
 Client-IP-Address = 172.20.1.247
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Reason-Code = 23
 Reason = Unexpected error. Possible error in server or client configuration.

--------
I then uninstalled the stand-alone CA and reinstalled Enterprise CA. At this point, the IAS errors stopped, and authentication started working.

The problem is that I cannot get the templates I need to certify my other DCs. I am going to post a second question about which templates drop down in the CertSrv web tool, but would like to know for sure that Enterprise CA was not a mistake before I proceed. You had said that Enterprise CA would not install on W2K3 STD, but the check-box was there and it accepted the check.
0
 

Author Closing Comment

by:HilltownHealthCenter
ID: 34230263
Hi Krzysztof,

I am signing off on this, because the solution you offered was excellent, even though it did not work for me. I don't think it is fair to hold you up because of our unusually complex system. I opened another question around getting the cert templates I need to show up in CertSrv. Feel free to offer a solution to this if you have one. For now I am continuing with Enterprise, although it is not working as it should. I may end up going back to stand-alone, if I can resolve the wireless issues.

If you have any more insight about stand-alone CA vs. Enterprise CA in a secure WAP+WAP2 Radius/AD authenticated wireless setup, please share.

Thank you,
Asaph
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34232865
Hi Asaph,

thank you :) I would like to say sorry, that you had to wait so long for my posts :/ (tough days)

Wish you luck

Regards,
Krzysztof
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
OfficeMate Freezes on login or does not load after login credentials are input.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now