Solved

CA move from Windows Server 2003 to 2008R2

Posted on 2012-03-14
13
929 Views
Last Modified: 2012-03-21
Hi,

We currently have one Enterprise CA running on Windows Server 2003. This server also is a DC/GC.

I would like to move this CA from the 2003 server onto a new 2008R2 box.

The new machine already is a DC/GC and is also a DNS server. The server is also a Windows Server 2008R2 Datacenter machine.

Both machines are currently running and both have different machine names and IP addresses.

What is the best way to move the CA?
0
Comment
Question by:Contigo1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 41

Expert Comment

by:Adam Brown
ID: 37721013
There's a full migration guide available here: http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721032
Hi,

I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 37721085
It'll cause some issues, yes. So you need to back up all the CA information on the old server, remove that server from the domain, join the new server to the domain, then restore data. Since your new server is already on the domain, that does present some issues. Theoretically, you could remove the old server and CA infrastructure from the domain and then install Certificate Services on the other server without too much issue. It would, however, require you to re-issue all of your certificates.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 41

Expert Comment

by:Adam Brown
ID: 37721099
For information, the reason the old and new servers need to have the same name is because the new server will effectively take ownership of the old server's Root CA Certificate. The validity of that certificate and all certificates created by the new server rely on the computer name, so in order for all the existing certificates to remain valid you have the have the same name on the old and new servers.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721114
As both servers have different names does this now mean I will have to rename the new one to be the same name as the old server?

Or will I just have to re-issue all of the certificates again?
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 125 total points
ID: 37721118
Yes it's true. The destination server need to have the same name as the server you are migrating from.

It's not recomended to place the CS role on a DC. The ADCS role will become dependant on the ADDS role. It will work but if you like to demote a DC, you can't as long as it is a CA.
0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 37721156
It depends on how you want to change things. If you change the server's name, you'll have to do some work in DNS to correct the changed Domain Controller name. There's a lot of work associated with changing the name of a Domain Controller. If you have another DC and this is a secondary, you can just demote the server, rename it, install CS, then promote it back to DC if you need that server to be a DC. If it's the only DC you have, you're going to run into a lot of problems renaming it. As was mentioned, there are also issues with having CS on a DC. If you have additional hardware or can build a VM (very possible and I think free when you have a Datacenter edition of Windows and Hyper-V) the migration is much easier.

If you don't mind re-issuing all of your certs, you can remove the old CA and just build a new CA on whatever server you want.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721199
The Company is quite small and we dont have that many Certificates so I will proberly just install the AD CS onto another Server on the Domain and then re-issueing Certificates on the new CA.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721428
Hi,

Should I remove the old Ca before installing another Root Ca into the Domain?

Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?
0
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 37721438
http://support.microsoft.com/kb/889250 has info on decommissioning a Root CA. you'll want to decommission the old one before bringing the new one online.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37724449
I disagree with the statement about CA moves and the need to keep the same machine name.

Important  
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
 
Note  
By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.  

You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx

Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37724732
Hi,

As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.

On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 125 total points
ID: 37724850
Yes you would revoke all the certificates, there are actually a  couple of actions that needs to be completed during the removal.
http://support.microsoft.com/kb/889250

Previously answer question about a crashed CA:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27626720.html
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question