Move Enterprise CA from Windows Server 2003 DC to Windows Server 2008 R2 with different name

Hello Experts,

I have done some research but would like to know if my intended procedure for moving the Enterprise CA for the domain from the existing 32-bit Windows Server 2003 Domain Controller to a brand new Windows Server 2008 R2 64-bit member server -  with a different computer name from the DC currently hosting the CA - is going to work.

Existing environment - single Windows 2003 native forest/domain:

DC1: Windows Server 2003 standard edition with Enterprise CA installed (to be decommissioned)
DC2: Windows Server 2003 standard edition + DNS and DHCP
DC3: Windows Server 2008 R2 standard edition + DNS and all FSMO roles

We would like to install a brand new Windows Server 2008 R2 standard edition (member server) into the domain and then relocate the Enterprise CA to this server.  DC1 which currently holds the Enterprise CA role will then be decommissioned and removed from the domain completely.  

The domain does not have a PKI infrastructure in place.  I have examined the existing non-expired certificates contained within the existing Enterprise CA, and they are as follows (from CA MMC - Issued Certificates):

- 3 Domain Controller certificates, 1 for each of the 3 Domain Controllers in the domain
- 2 Basic EFS certificates issued to 2 individual users

There are a few expired Basic EFS certificates issued to other users, but I presume these can be ignored completely.

In Certificate MMC - Personal certificates, there are only 2 certificates listed:

- DC1  (Intended Purpose: All)
- (Intended Purpose: Client Authentication)

The organisation only really use certificates for OWA and MAPI RPC over HTTP, and for this purpose a Verisign certificate has been installed into IIS on the BE Exchange server with copies on the FE Exchange server and the ISA server.  As far as I know, removing the existing CA will have no impact on this.

To the best of my knowledge therefore, the situation with regards to existing certificates is as follows - please do let me know if this is not correct:

- No PKI is in place so no certificates will have to be moved to the new server, therefore relocating the CA to the new server will have no impact
- The 3 existing DC certificates do not have to be moved to a new CA as once the new CA is up and running, new certificates will be automatically issued - therefore no impact
- The 2 users who have EFS certificates issued will have to fully decrypt any encrypted data prior to the move of the CA - therefore no impact of changing CA to a new server

Based on above details, the procedure I am planning to follow is:

- On DC1, back up the existing CA, all certificates and the server itself
- On DC1, decommission existing CA and remove all related objects from the server and AD (based on KB889250)
- On DC1, run DCpromo to demote it to a member server
- Decommission DC1 completely and remove from domain
- Install Windows Server 2008 R2 as a member server on new hardware
- Install Enterprise CA on the new 2008 member server

I would very much appreciate it if this could be sanity checked and I would welcome any comment and corrections to the procedure.  There may well be that there are things that I have not thought about or that needs further checking.  It is imperative that decommissioning the old CA and installing a brand new CA will not have a negative impact on the domain.


Who is Participating?
You are pretty much right.

As you only have 3 DC's certificates issued to the current DC's so they will be reissued by the new Enterprise CA. As far as Basic EFS Certificates are concerned, revocation does not run on the EFS Certificates so even if you don't decrypt the data prior to the CA Removal. There won't be any adverse effect unless you have the correct certificate and the private key to decrypt the data.

Also the certificates installed on the Exchange Server are from Verisign so it does not have any link with your internal PKI Infrastructure.

You might consider to have an Enterprise Server OS to use features like Autoenrollment for machine and users.

You can also review the KB 298138 to do the CA Migration. There are Migration Guide Links given at the bottom of this KB.
Your steps are right. Just I would like to add few steps on your procedure. Microsoft recommend DCs must be a NS and GC. So Please check all your dcs are GC.

AD CS Migration to Win2k8 R2 step by step

Once you decommission DC1, please check ADSIedit, ADSite, ADDS that DC1 is gone forever.
Run Netdiag, DCdiag, nltest command to check everything going well. Last but not least, as a best practice, check event log of PDC whether everything going ok

OgilvieITAuthor Commented:
Thanks very much both CERTExpert and Raihan for your comments!

Yes, all DCs are also DNS servers and GCs.

From your comments, it looks like I am pretty much good to go.  However, just to clarify, I have listed 3 points below which I am hoping someone would comment on.

1) In essence then, from the information given in my orginal question, it is completely safe to remove the existing Enterprise CA (no existing PKI in domain) and then demote and remove the DC from the domain - and then proceed to set up a brand new Enterprise CA on a new server with a new name, i.e. not a migration of the CA with all its data from old oner to the new one?

2) In the last section of KB889250 (copied in below), the procedures for removing the certificates from the DCs are listed.  However, only the steps for removing certificate objects from Windows 2000 and 2003 DCs are given.  In our case we also have a Windows 2008 R2 DC.  Does anyone know the steps for removing the objects from a Windows 2008 DC?

3) Also, final one, how do I determine if a DC certificate is based on version 1 DC Templates (as the procedure given in KB cannot be used for removing these apparently - as per section below) - and if it was, how would I remove that type of certificate?  

All help and clarifications is most apprecisted!!



*** Procedure from KB 889250 for removing DC CA objects from DCs - last section***

Step 9: Clean up domain controllers
After the CA is uninstalled, the certificates that were issued to domain controllers must be removed.

To remove certificates that were issued to the Windows Server 2000 domain controllers, use the Dsstore.exe utility from the Microsoft Windows 2000 Resource Kit.

To remove certificates that have been issued to the Windows Server 2000 domain controllers, follow these steps:
Click Start, click Run, type cmd, and then press ENTER.
On a domain controller, type dsstore -dcmon at the command prompt, and then press ENTER.
Type 3, and then press ENTER. This action deletes all certificates on all domain controllers.

Note The Dsstore.exe utility will try to validate domain controller certificates that are issued to each domain controller. Certificates that do not validate are removed from their respective domain controller.
To remove certificates that were issued to the Windows Server 2003 domain controllers, follow these steps.

Important Do not use this procedure if you are using certificates that are based on version 1 domain controller templates.
Click Start, click Run, type cmd, and then press ENTER.
At the command prompt on a domain controller, type certutil -dcinfo deleteBad.
Certutil.exe tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.

To force application of the security policy, follow these steps:
Click Start, click Run, type cmd in the Open box, and then press ENTER.
At a command prompt, type the appropriate command for the corresponding version of the operating system, and then press ENTER:
For Windows Server 2000: secedit /refreshpolicy machine_policy /enforce
For Windows Server 2003: gpupdate /force
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

1) Would be safe. But make sure you backup complete CA i.e. private key and CA database in a safe location. Run dcpromo to remove DC1. verify in AD that nobody is member of cert publisher group.
2)Certutil command still valid for win2k8. So will work for win2k8
3) Version1>>introduce on win2000, Version2>introduce on win2k3, Version3>introduce on win2k8
Version1 and version2 both available in win2k8 and win2k8 R2.
Make sure you install win2k8 enterprise edition, version 2 does support standard edition.
How do you know your version, answer is from your migration history.

Worth looking
You can view the certificate as well and check the template name from the Details Tab -> Certificate Attribute. It should show you the Certificate template Name (it might show u the OID if we don't have the friendly name).

The Domain Controller template is version 1 and Domain Controller Authentication template is a version 2 template.
OgilvieITAuthor Commented:
Thank you both for your additional comments to my questions!

Just want to clarify - given that there is no existing or planned PKI for this domain, is it strictly necessary to use Windows 2008 Enterprise edition?  They really only want an Enterprse CA in place in their domain but I believe that there are no plans for PKI.  Would a Windows Server 2008 Standard edition not suffice for this purpose?

Kind regards,

You can only use features like Autoenrollment using which you can deploy certificates to workstations/users only with an Enterprise CA installed on an Enterprise OS.

If there is no plans to use such features, then a standard OS would do. Even with Enterprise CA installed on standard OS, it would still use ACRS and issue certificates to the Domain Controller automatically.
OgilvieITAuthor Commented:
Thanks again CERTexpert for your clarification.  I will keep this question open a bit longer before closing and awarding points as I may have to ask for another one or two clarifications before doing so.


Correcting my previous comment:

You cannot only use features like Autoenrollment using which you can deploy certificates to workstations/users only with an Enterprise CA installed on an Enterprise OS.

If there is no plans to use such features, then a standard OS would do. Even with Enterprise CA installed on standard OS, it would still use ACRS and issue certificates to the Domain Controller automatically.

Sure, OgilvieIT, feel free to ask more questions on this.

Oops, please ignore my latest comment, I thought there was another question.. :)
OgilvieITAuthor Commented:
Points awarded - thanks very much to both of you for your comments!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.