barrykeel
asked on
Moving Win 2003 Certificate Authority to Another Server
I currently have a enterprise root CA running under Win 2003 standard. I know this is not the best scenario but when I aquired the server for administration it was a DC with the CA and Exchange. We removed the DC a couple of years ago and that left the CA and Exchange. I need to move the CA and upgrade it to 2003 Enterprise Server. That would give a stand alone CA and a stand alone Exchange server.
I have read that the CA can be moved to a new server with the same same or with a different name. However, what I have found says the CA name must stay the same. Well, the CA has the same name as the Exchange server name since they were on the same box. I need to keep the Exchange name. I not so sure it would be a good idea that if the CA were moved to a new server with a different same name yet keep the same name as the Exchange server.
I have also read that a CA could be decomissioned and removed from the network. The root CA cert expires in 2 months and there will be no outstanding certificates. So with the expiration coming up, couldn't I pull the CA and decommission it. Completely remove it from the organization and then set up a new CA with a different name on the new server?
Also, I am lacking a physical server to load the CA on, but I do have a virtual environment that I could install the CA. This environmant is at a remote sight under a differnt subnet. It is part of the domain as there are two DCs at that site and are connected through AD Sites and Services. We have a dedicated private site to site 10meg fibre connection. Ideally I would like to have it a my main site, but if not, would this cause any issues? I am thinking it shouldn't.
I have read that the CA can be moved to a new server with the same same or with a different name. However, what I have found says the CA name must stay the same. Well, the CA has the same name as the Exchange server name since they were on the same box. I need to keep the Exchange name. I not so sure it would be a good idea that if the CA were moved to a new server with a different same name yet keep the same name as the Exchange server.
I have also read that a CA could be decomissioned and removed from the network. The root CA cert expires in 2 months and there will be no outstanding certificates. So with the expiration coming up, couldn't I pull the CA and decommission it. Completely remove it from the organization and then set up a new CA with a different name on the new server?
Also, I am lacking a physical server to load the CA on, but I do have a virtual environment that I could install the CA. This environmant is at a remote sight under a differnt subnet. It is part of the domain as there are two DCs at that site and are connected through AD Sites and Services. We have a dedicated private site to site 10meg fibre connection. Ideally I would like to have it a my main site, but if not, would this cause any issues? I am thinking it shouldn't.
praveenkumare_sp
no this souldn't cause any issue
ASKER
What part are you talking about, the decomission and reinstall or the location at the remote site or both shouldn't be an issue?
as u have mentioned there are no outstanding certificates from the CA , u can go ahead and decommision the old CA and set up a new CA
ASKER
When I say outstanding, I mean there will be no outstanding after they have been revoked. All certs will be up for renewal in a couple of months but my plans are to decommission some time before the expiration date. I followed the kb article 889250 in a test environment and that seemed to work ok. I would revoke the certs before I decommissioned and uninstalled per the article. Also do the AD cleanup.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.