Contigo1
asked on
CA move from Windows Server 2003 to 2008R2
Hi,
We currently have one Enterprise CA running on Windows Server 2003. This server also is a DC/GC.
I would like to move this CA from the 2003 server onto a new 2008R2 box.
The new machine already is a DC/GC and is also a DNS server. The server is also a Windows Server 2008R2 Datacenter machine.
Both machines are currently running and both have different machine names and IP addresses.
What is the best way to move the CA?
We currently have one Enterprise CA running on Windows Server 2003. This server also is a DC/GC.
I would like to move this CA from the 2003 server onto a new 2008R2 box.
The new machine already is a DC/GC and is also a DNS server. The server is also a Windows Server 2008R2 Datacenter machine.
Both machines are currently running and both have different machine names and IP addresses.
What is the best way to move the CA?
Adam Brown
There's a full migration guide available here: http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
ASKER
Hi,
I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?
I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?
It'll cause some issues, yes. So you need to back up all the CA information on the old server, remove that server from the domain, join the new server to the domain, then restore data. Since your new server is already on the domain, that does present some issues. Theoretically, you could remove the old server and CA infrastructure from the domain and then install Certificate Services on the other server without too much issue. It would, however, require you to re-issue all of your certificates.
For information, the reason the old and new servers need to have the same name is because the new server will effectively take ownership of the old server's Root CA Certificate. The validity of that certificate and all certificates created by the new server rely on the computer name, so in order for all the existing certificates to remain valid you have the have the same name on the old and new servers.
ASKER
As both servers have different names does this now mean I will have to rename the new one to be the same name as the old server?
Or will I just have to re-issue all of the certificates again?
Or will I just have to re-issue all of the certificates again?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Company is quite small and we dont have that many Certificates so I will proberly just install the AD CS onto another Server on the Domain and then re-issueing Certificates on the new CA.
ASKER
Hi,
Should I remove the old Ca before installing another Root Ca into the Domain?
Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?
Should I remove the old Ca before installing another Root Ca into the Domain?
Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I disagree with the statement about CA moves and the need to keep the same machine name.
You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx
Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx
Important
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
Note
By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.
You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx
Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx
ASKER
Hi,
As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.
On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?
As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.
On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.