CA move from Windows Server 2003 to 2008R2

There's a full migration guide available here: http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx

Hi,

I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?

It'll cause some issues, yes. So you need to back up all the CA information on the old server, remove that server from the domain, join the new server to the domain, then restore data. Since your new server is already on the domain, that does present some issues. Theoretically, you could remove the old server and CA infrastructure from the domain and then install Certificate Services on the other server without too much issue. It would, however, require you to re-issue all of your certificates.

For information, the reason the old and new servers need to have the same name is because the new server will effectively take ownership of the old server's Root CA Certificate. The validity of that certificate and all certificates created by the new server rely on the computer name, so in order for all the existing certificates to remain valid you have the have the same name on the old and new servers.

As both servers have different names does this now mean I will have to rename the new one to be the same name as the old server?

Or will I just have to re-issue all of the certificates again?

The Company is quite small and we dont have that many Certificates so I will proberly just install the AD CS onto another Server on the Domain and then re-issueing Certificates on the new CA.

Hi,

Should I remove the old Ca before installing another Root Ca into the Domain?

Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?

I disagree with the statement about CA moves and the need to keep the same machine name.

Important  
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
 
Note  
By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.  

You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx

Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx

Hi,

As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.

On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?