OgilvieIT
asked on
Move Enterprise CA from Windows Server 2003 DC to Windows Server 2008 R2 with different name
Hello Experts,
I have done some research but would like to know if my intended procedure for moving the Enterprise CA for the domain from the existing 32-bit Windows Server 2003 Domain Controller to a brand new Windows Server 2008 R2 64-bit member server - with a different computer name from the DC currently hosting the CA - is going to work.
Existing environment - single Windows 2003 native forest/domain:
DC1: Windows Server 2003 standard edition with Enterprise CA installed (to be decommissioned)
DC2: Windows Server 2003 standard edition + DNS and DHCP
DC3: Windows Server 2008 R2 standard edition + DNS and all FSMO roles
We would like to install a brand new Windows Server 2008 R2 standard edition (member server) into the domain and then relocate the Enterprise CA to this server. DC1 which currently holds the Enterprise CA role will then be decommissioned and removed from the domain completely.
The domain does not have a PKI infrastructure in place. I have examined the existing non-expired certificates contained within the existing Enterprise CA, and they are as follows (from CA MMC - Issued Certificates):
- 3 Domain Controller certificates, 1 for each of the 3 Domain Controllers in the domain
- 2 Basic EFS certificates issued to 2 individual users
There are a few expired Basic EFS certificates issued to other users, but I presume these can be ignored completely.
In Certificate MMC - Personal certificates, there are only 2 certificates listed:
- DC1 (Intended Purpose: All)
- DC1.domain-name.com (Intended Purpose: Client Authentication)
The organisation only really use certificates for OWA and MAPI RPC over HTTP, and for this purpose a Verisign certificate has been installed into IIS on the BE Exchange server with copies on the FE Exchange server and the ISA server. As far as I know, removing the existing CA will have no impact on this.
To the best of my knowledge therefore, the situation with regards to existing certificates is as follows - please do let me know if this is not correct:
- No PKI is in place so no certificates will have to be moved to the new server, therefore relocating the CA to the new server will have no impact
- The 3 existing DC certificates do not have to be moved to a new CA as once the new CA is up and running, new certificates will be automatically issued - therefore no impact
- The 2 users who have EFS certificates issued will have to fully decrypt any encrypted data prior to the move of the CA - therefore no impact of changing CA to a new server
Based on above details, the procedure I am planning to follow is:
- On DC1, back up the existing CA, all certificates and the server itself
- On DC1, decommission existing CA and remove all related objects from the server and AD (based on KB889250)
- On DC1, run DCpromo to demote it to a member server
- Decommission DC1 completely and remove from domain
- Install Windows Server 2008 R2 as a member server on new hardware
- Install Enterprise CA on the new 2008 member server
I would very much appreciate it if this could be sanity checked and I would welcome any comment and corrections to the procedure. There may well be that there are things that I have not thought about or that needs further checking. It is imperative that decommissioning the old CA and installing a brand new CA will not have a negative impact on the domain.
Regards,
BC
I have done some research but would like to know if my intended procedure for moving the Enterprise CA for the domain from the existing 32-bit Windows Server 2003 Domain Controller to a brand new Windows Server 2008 R2 64-bit member server - with a different computer name from the DC currently hosting the CA - is going to work.
Existing environment - single Windows 2003 native forest/domain:
DC1: Windows Server 2003 standard edition with Enterprise CA installed (to be decommissioned)
DC2: Windows Server 2003 standard edition + DNS and DHCP
DC3: Windows Server 2008 R2 standard edition + DNS and all FSMO roles
We would like to install a brand new Windows Server 2008 R2 standard edition (member server) into the domain and then relocate the Enterprise CA to this server. DC1 which currently holds the Enterprise CA role will then be decommissioned and removed from the domain completely.
The domain does not have a PKI infrastructure in place. I have examined the existing non-expired certificates contained within the existing Enterprise CA, and they are as follows (from CA MMC - Issued Certificates):
- 3 Domain Controller certificates, 1 for each of the 3 Domain Controllers in the domain
- 2 Basic EFS certificates issued to 2 individual users
There are a few expired Basic EFS certificates issued to other users, but I presume these can be ignored completely.
In Certificate MMC - Personal certificates, there are only 2 certificates listed:
- DC1 (Intended Purpose: All)
- DC1.domain-name.com (Intended Purpose: Client Authentication)
The organisation only really use certificates for OWA and MAPI RPC over HTTP, and for this purpose a Verisign certificate has been installed into IIS on the BE Exchange server with copies on the FE Exchange server and the ISA server. As far as I know, removing the existing CA will have no impact on this.
To the best of my knowledge therefore, the situation with regards to existing certificates is as follows - please do let me know if this is not correct:
- No PKI is in place so no certificates will have to be moved to the new server, therefore relocating the CA to the new server will have no impact
- The 3 existing DC certificates do not have to be moved to a new CA as once the new CA is up and running, new certificates will be automatically issued - therefore no impact
- The 2 users who have EFS certificates issued will have to fully decrypt any encrypted data prior to the move of the CA - therefore no impact of changing CA to a new server
Based on above details, the procedure I am planning to follow is:
- On DC1, back up the existing CA, all certificates and the server itself
- On DC1, decommission existing CA and remove all related objects from the server and AD (based on KB889250)
- On DC1, run DCpromo to demote it to a member server
- Decommission DC1 completely and remove from domain
- Install Windows Server 2008 R2 as a member server on new hardware
- Install Enterprise CA on the new 2008 member server
I would very much appreciate it if this could be sanity checked and I would welcome any comment and corrections to the procedure. There may well be that there are things that I have not thought about or that needs further checking. It is imperative that decommissioning the old CA and installing a brand new CA will not have a negative impact on the domain.
Regards,
BC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) Would be safe. But make sure you backup complete CA i.e. private key and CA database in a safe location. Run dcpromo to remove DC1. verify in AD that nobody is member of cert publisher group.
2)Certutil command still valid for win2k8. So will work for win2k8
3) Version1>>introduce on win2000, Version2>introduce on win2k3, Version3>introduce on win2k8
Version1 and version2 both available in win2k8 and win2k8 R2.
Make sure you install win2k8 enterprise edition, version 2 does support standard edition.
How do you know your version, answer is from your migration history.
Worth looking http://support.microsoft.com/kb/2418597
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
Troubleshooting http://technet.microsoft.com/en-us/library/cc731429.aspx
2)Certutil command still valid for win2k8. So will work for win2k8
3) Version1>>introduce on win2000, Version2>introduce on win2k3, Version3>introduce on win2k8
Version1 and version2 both available in win2k8 and win2k8 R2.
Make sure you install win2k8 enterprise edition, version 2 does support standard edition.
How do you know your version, answer is from your migration history.
Worth looking http://support.microsoft.com/kb/2418597
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
Troubleshooting http://technet.microsoft.com/en-us/library/cc731429.aspx
You can view the certificate as well and check the template name from the Details Tab -> Certificate Attribute. It should show you the Certificate template Name (it might show u the OID if we don't have the friendly name).
The Domain Controller template is version 1 and Domain Controller Authentication template is a version 2 template.
The Domain Controller template is version 1 and Domain Controller Authentication template is a version 2 template.
ASKER
Thank you both for your additional comments to my questions!
Just want to clarify - given that there is no existing or planned PKI for this domain, is it strictly necessary to use Windows 2008 Enterprise edition? They really only want an Enterprse CA in place in their domain but I believe that there are no plans for PKI. Would a Windows Server 2008 Standard edition not suffice for this purpose?
Kind regards,
BC
Just want to clarify - given that there is no existing or planned PKI for this domain, is it strictly necessary to use Windows 2008 Enterprise edition? They really only want an Enterprse CA in place in their domain but I believe that there are no plans for PKI. Would a Windows Server 2008 Standard edition not suffice for this purpose?
Kind regards,
BC
You can only use features like Autoenrollment using which you can deploy certificates to workstations/users only with an Enterprise CA installed on an Enterprise OS.
If there is no plans to use such features, then a standard OS would do. Even with Enterprise CA installed on standard OS, it would still use ACRS and issue certificates to the Domain Controller automatically.
If there is no plans to use such features, then a standard OS would do. Even with Enterprise CA installed on standard OS, it would still use ACRS and issue certificates to the Domain Controller automatically.
ASKER
Thanks again CERTexpert for your clarification. I will keep this question open a bit longer before closing and awarding points as I may have to ask for another one or two clarifications before doing so.
Regards,
BC
Regards,
BC
Correcting my previous comment:
You cannot only use features like Autoenrollment using which you can deploy certificates to workstations/users only with an Enterprise CA installed on an Enterprise OS.
If there is no plans to use such features, then a standard OS would do. Even with Enterprise CA installed on standard OS, it would still use ACRS and issue certificates to the Domain Controller automatically.
Sure, OgilvieIT, feel free to ask more questions on this.
Thanks
You cannot only use features like Autoenrollment using which you can deploy certificates to workstations/users only with an Enterprise CA installed on an Enterprise OS.
If there is no plans to use such features, then a standard OS would do. Even with Enterprise CA installed on standard OS, it would still use ACRS and issue certificates to the Domain Controller automatically.
Sure, OgilvieIT, feel free to ask more questions on this.
Thanks
Oops, please ignore my latest comment, I thought there was another question.. :)
ASKER
Points awarded - thanks very much to both of you for your comments!
ASKER
Yes, all DCs are also DNS servers and GCs.
From your comments, it looks like I am pretty much good to go. However, just to clarify, I have listed 3 points below which I am hoping someone would comment on.
1) In essence then, from the information given in my orginal question, it is completely safe to remove the existing Enterprise CA (no existing PKI in domain) and then demote and remove the DC from the domain - and then proceed to set up a brand new Enterprise CA on a new server with a new name, i.e. not a migration of the CA with all its data from old oner to the new one?
2) In the last section of KB889250 (copied in below), the procedures for removing the certificates from the DCs are listed. However, only the steps for removing certificate objects from Windows 2000 and 2003 DCs are given. In our case we also have a Windows 2008 R2 DC. Does anyone know the steps for removing the objects from a Windows 2008 DC?
3) Also, final one, how do I determine if a DC certificate is based on version 1 DC Templates (as the procedure given in KB cannot be used for removing these apparently - as per section below) - and if it was, how would I remove that type of certificate?
All help and clarifications is most apprecisted!!
Regards,
BC
*** Procedure from KB 889250 for removing DC CA objects from DCs - last section***
Step 9: Clean up domain controllers
After the CA is uninstalled, the certificates that were issued to domain controllers must be removed.
To remove certificates that were issued to the Windows Server 2000 domain controllers, use the Dsstore.exe utility from the Microsoft Windows 2000 Resource Kit.
To remove certificates that have been issued to the Windows Server 2000 domain controllers, follow these steps:
Click Start, click Run, type cmd, and then press ENTER.
On a domain controller, type dsstore -dcmon at the command prompt, and then press ENTER.
Type 3, and then press ENTER. This action deletes all certificates on all domain controllers.
Note The Dsstore.exe utility will try to validate domain controller certificates that are issued to each domain controller. Certificates that do not validate are removed from their respective domain controller.
To remove certificates that were issued to the Windows Server 2003 domain controllers, follow these steps.
Important Do not use this procedure if you are using certificates that are based on version 1 domain controller templates.
Click Start, click Run, type cmd, and then press ENTER.
At the command prompt on a domain controller, type certutil -dcinfo deleteBad.
Certutil.exe tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.
To force application of the security policy, follow these steps:
Click Start, click Run, type cmd in the Open box, and then press ENTER.
At a command prompt, type the appropriate command for the corresponding version of the operating system, and then press ENTER:
For Windows Server 2000: secedit /refreshpolicy machine_policy /enforce
For Windows Server 2003: gpupdate /force