MOITExperts
asked on
2000 to 2008 R2 Certificate Authority Migration - Needs an CA Expert
inf02 = 2000 CA
inf03 = 2008 R2 CA
Behavior:
I have a 2008 R2 AD at that level. I understand that there is no migration path from 2000 to 2008 R2 because it would be a 32 to 64 bit change. A 2008 R2 CA has been installed along side of a 2000 CA. The goal is to direct new clients to the new 2008 R2 CA through manual and autoentrollment, and then decommision the 2000 CA.
On inf03 in Server Manager\AD Certificate Services\Enterprise PKI I see inf02 (v3.0) and the new CA is listed as inf03 (v0.0). In AD Sites and Services\Services\Public Key Services, I see both CAs listed under AIA and CDP. My certificate templates appear to show updated certificate template. Certutil.exe -dump shows a certificate for both CAs when run from either the 2000 or 2008 R2 CA command prompt.
Before try to move this forward and create an enrollement policy, I wanted to see if there is a CA Expert that has experience with this situation.
Cheers!
Thomas
inf03 = 2008 R2 CA
Behavior:
I have a 2008 R2 AD at that level. I understand that there is no migration path from 2000 to 2008 R2 because it would be a 32 to 64 bit change. A 2008 R2 CA has been installed along side of a 2000 CA. The goal is to direct new clients to the new 2008 R2 CA through manual and autoentrollment, and then decommision the 2000 CA.
On inf03 in Server Manager\AD Certificate Services\Enterprise PKI I see inf02 (v3.0) and the new CA is listed as inf03 (v0.0). In AD Sites and Services\Services\Public Key Services, I see both CAs listed under AIA and CDP. My certificate templates appear to show updated certificate template. Certutil.exe -dump shows a certificate for both CAs when run from either the 2000 or 2008 R2 CA command prompt.
Before try to move this forward and create an enrollement policy, I wanted to see if there is a CA Expert that has experience with this situation.
Cheers!
Thomas
ASKER
Jrhelgeson,
Thank you for your response.
The current 2000 box that is hosting our Enterprise CA has only 1.6 GB free. I'm not able to do an in place upgrade of 2000 to 2003.
Also, it is our central threat management server. The security admin is not able to move those services to another box and the 2000 instructions state that the source CA must be renamed and removed from the network.
Also the second link you sent states that a 32 to 64 bit upgrade is not possible. In the link below, MS states that 2008 R2 is 64 bit only, there is no OS upgrade path, the CA DB cannot be migrated. Therefore a new CA will need to be created and the 2000 CA decommissioned.
http://support.microsoft.c om/kb/2418 597
Thanks for the comment!
Thomas
Thank you for your response.
The current 2000 box that is hosting our Enterprise CA has only 1.6 GB free. I'm not able to do an in place upgrade of 2000 to 2003.
Also, it is our central threat management server. The security admin is not able to move those services to another box and the 2000 instructions state that the source CA must be renamed and removed from the network.
Also the second link you sent states that a 32 to 64 bit upgrade is not possible. In the link below, MS states that 2008 R2 is 64 bit only, there is no OS upgrade path, the CA DB cannot be migrated. Therefore a new CA will need to be created and the 2000 CA decommissioned.
http://support.microsoft.c
Thanks for the comment!
Thomas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Why are you going direct from 2000 to 2008 R2?
If you want to keep your certificates, might I suggest that you upgrade your PKI to Server 2003, then from server 2003 to 2008 R2.
From 2000 CA to 2003 CA
http://support.microsoft.com/kb/298138
From 2003 to 2008
http://technet.microsoft.com/en-us/library/cc742388%28WS.10%29.aspx