Move Enterprise CA from Windows Server 2003 DC to Windows Server 2008 R2 with different name
Posted on 2011-02-12
I have done some research but would like to know if my intended procedure for moving the Enterprise CA for the domain from the existing 32-bit Windows Server 2003 Domain Controller to a brand new Windows Server 2008 R2 64-bit member server - with a different computer name from the DC currently hosting the CA - is going to work.
Existing environment - single Windows 2003 native forest/domain:
DC1: Windows Server 2003 standard edition with Enterprise CA installed (to be decommissioned)
DC2: Windows Server 2003 standard edition + DNS and DHCP
DC3: Windows Server 2008 R2 standard edition + DNS and all FSMO roles
We would like to install a brand new Windows Server 2008 R2 standard edition (member server) into the domain and then relocate the Enterprise CA to this server. DC1 which currently holds the Enterprise CA role will then be decommissioned and removed from the domain completely.
The domain does not have a PKI infrastructure in place. I have examined the existing non-expired certificates contained within the existing Enterprise CA, and they are as follows (from CA MMC - Issued Certificates):
- 3 Domain Controller certificates, 1 for each of the 3 Domain Controllers in the domain
- 2 Basic EFS certificates issued to 2 individual users
There are a few expired Basic EFS certificates issued to other users, but I presume these can be ignored completely.
In Certificate MMC - Personal certificates, there are only 2 certificates listed:
- DC1 (Intended Purpose: All)
- DC1.domain-name.com (Intended Purpose: Client Authentication)
The organisation only really use certificates for OWA and MAPI RPC over HTTP, and for this purpose a Verisign certificate has been installed into IIS on the BE Exchange server with copies on the FE Exchange server and the ISA server. As far as I know, removing the existing CA will have no impact on this.
To the best of my knowledge therefore, the situation with regards to existing certificates is as follows - please do let me know if this is not correct:
- No PKI is in place so no certificates will have to be moved to the new server, therefore relocating the CA to the new server will have no impact
- The 3 existing DC certificates do not have to be moved to a new CA as once the new CA is up and running, new certificates will be automatically issued - therefore no impact
- The 2 users who have EFS certificates issued will have to fully decrypt any encrypted data prior to the move of the CA - therefore no impact of changing CA to a new server
Based on above details, the procedure I am planning to follow is:
- On DC1, back up the existing CA, all certificates and the server itself
- On DC1, decommission existing CA and remove all related objects from the server and AD (based on KB889250)
- On DC1, run DCpromo to demote it to a member server
- Decommission DC1 completely and remove from domain
- Install Windows Server 2008 R2 as a member server on new hardware
- Install Enterprise CA on the new 2008 member server
I would very much appreciate it if this could be sanity checked and I would welcome any comment and corrections to the procedure. There may well be that there are things that I have not thought about or that needs further checking. It is imperative that decommissioning the old CA and installing a brand new CA will not have a negative impact on the domain.