CA move from Windows Server 2003 to 2008R2

Hi,

We currently have one Enterprise CA running on Windows Server 2003. This server also is a DC/GC.

I would like to move this CA from the 2003 server onto a new 2008R2 box.

The new machine already is a DC/GC and is also a DNS server. The server is also a Windows Server 2008R2 Datacenter machine.

Both machines are currently running and both have different machine names and IP addresses.

What is the best way to move the CA?
LVL 1
Contigo1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
There's a full migration guide available here: http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
0
Contigo1Author Commented:
Hi,

I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?
0
Adam BrownSr Solutions ArchitectCommented:
It'll cause some issues, yes. So you need to back up all the CA information on the old server, remove that server from the domain, join the new server to the domain, then restore data. Since your new server is already on the domain, that does present some issues. Theoretically, you could remove the old server and CA infrastructure from the domain and then install Certificate Services on the other server without too much issue. It would, however, require you to re-issue all of your certificates.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Adam BrownSr Solutions ArchitectCommented:
For information, the reason the old and new servers need to have the same name is because the new server will effectively take ownership of the old server's Root CA Certificate. The validity of that certificate and all certificates created by the new server rely on the computer name, so in order for all the existing certificates to remain valid you have the have the same name on the old and new servers.
0
Contigo1Author Commented:
As both servers have different names does this now mean I will have to rename the new one to be the same name as the old server?

Or will I just have to re-issue all of the certificates again?
0
snusgubbenCommented:
Yes it's true. The destination server need to have the same name as the server you are migrating from.

It's not recomended to place the CS role on a DC. The ADCS role will become dependant on the ADDS role. It will work but if you like to demote a DC, you can't as long as it is a CA.
0
Adam BrownSr Solutions ArchitectCommented:
It depends on how you want to change things. If you change the server's name, you'll have to do some work in DNS to correct the changed Domain Controller name. There's a lot of work associated with changing the name of a Domain Controller. If you have another DC and this is a secondary, you can just demote the server, rename it, install CS, then promote it back to DC if you need that server to be a DC. If it's the only DC you have, you're going to run into a lot of problems renaming it. As was mentioned, there are also issues with having CS on a DC. If you have additional hardware or can build a VM (very possible and I think free when you have a Datacenter edition of Windows and Hyper-V) the migration is much easier.

If you don't mind re-issuing all of your certs, you can remove the old CA and just build a new CA on whatever server you want.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Contigo1Author Commented:
The Company is quite small and we dont have that many Certificates so I will proberly just install the AD CS onto another Server on the Domain and then re-issueing Certificates on the new CA.
0
Contigo1Author Commented:
Hi,

Should I remove the old Ca before installing another Root Ca into the Domain?

Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?
0
Adam BrownSr Solutions ArchitectCommented:
http://support.microsoft.com/kb/889250 has info on decommissioning a Root CA. you'll want to decommission the old one before bringing the new one online.
0
Leon FesterSenior Solutions ArchitectCommented:
I disagree with the statement about CA moves and the need to keep the same machine name.

Important  
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
 
Note  
By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.  

You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx

Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx
0
Contigo1Author Commented:
Hi,

As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.

On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?
0
Leon FesterSenior Solutions ArchitectCommented:
Yes you would revoke all the certificates, there are actually a  couple of actions that needs to be completed during the removal.
http://support.microsoft.com/kb/889250

Previously answer question about a crashed CA:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27626720.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.