Solved

CA move from Windows Server 2003 to 2008R2

Posted on 2012-03-14
13
913 Views
Last Modified: 2012-03-21
Hi,

We currently have one Enterprise CA running on Windows Server 2003. This server also is a DC/GC.

I would like to move this CA from the 2003 server onto a new 2008R2 box.

The new machine already is a DC/GC and is also a DNS server. The server is also a Windows Server 2008R2 Datacenter machine.

Both machines are currently running and both have different machine names and IP addresses.

What is the best way to move the CA?
0
Comment
Question by:Contigo1
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37721013
There's a full migration guide available here: http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721032
Hi,

I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37721085
It'll cause some issues, yes. So you need to back up all the CA information on the old server, remove that server from the domain, join the new server to the domain, then restore data. Since your new server is already on the domain, that does present some issues. Theoretically, you could remove the old server and CA infrastructure from the domain and then install Certificate Services on the other server without too much issue. It would, however, require you to re-issue all of your certificates.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37721099
For information, the reason the old and new servers need to have the same name is because the new server will effectively take ownership of the old server's Root CA Certificate. The validity of that certificate and all certificates created by the new server rely on the computer name, so in order for all the existing certificates to remain valid you have the have the same name on the old and new servers.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721114
As both servers have different names does this now mean I will have to rename the new one to be the same name as the old server?

Or will I just have to re-issue all of the certificates again?
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 125 total points
ID: 37721118
Yes it's true. The destination server need to have the same name as the server you are migrating from.

It's not recomended to place the CS role on a DC. The ADCS role will become dependant on the ADDS role. It will work but if you like to demote a DC, you can't as long as it is a CA.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 37721156
It depends on how you want to change things. If you change the server's name, you'll have to do some work in DNS to correct the changed Domain Controller name. There's a lot of work associated with changing the name of a Domain Controller. If you have another DC and this is a secondary, you can just demote the server, rename it, install CS, then promote it back to DC if you need that server to be a DC. If it's the only DC you have, you're going to run into a lot of problems renaming it. As was mentioned, there are also issues with having CS on a DC. If you have additional hardware or can build a VM (very possible and I think free when you have a Datacenter edition of Windows and Hyper-V) the migration is much easier.

If you don't mind re-issuing all of your certs, you can remove the old CA and just build a new CA on whatever server you want.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721199
The Company is quite small and we dont have that many Certificates so I will proberly just install the AD CS onto another Server on the Domain and then re-issueing Certificates on the new CA.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721428
Hi,

Should I remove the old Ca before installing another Root Ca into the Domain?

Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 37721438
http://support.microsoft.com/kb/889250 has info on decommissioning a Root CA. you'll want to decommission the old one before bringing the new one online.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37724449
I disagree with the statement about CA moves and the need to keep the same machine name.

Important  
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
 
Note  
By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.  

You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx

Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37724732
Hi,

As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.

On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 125 total points
ID: 37724850
Yes you would revoke all the certificates, there are actually a  couple of actions that needs to be completed during the removal.
http://support.microsoft.com/kb/889250

Previously answer question about a crashed CA:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27626720.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now