Solved

CA move from Windows Server 2003 to 2008R2

Posted on 2012-03-14
13
917 Views
Last Modified: 2012-03-21
Hi,

We currently have one Enterprise CA running on Windows Server 2003. This server also is a DC/GC.

I would like to move this CA from the 2003 server onto a new 2008R2 box.

The new machine already is a DC/GC and is also a DNS server. The server is also a Windows Server 2008R2 Datacenter machine.

Both machines are currently running and both have different machine names and IP addresses.

What is the best way to move the CA?
0
Comment
Question by:Contigo1
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37721013
There's a full migration guide available here: http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721032
Hi,

I read that you both machines need to have the same name otherwise the CA will be corrupted when it is moved is this true?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37721085
It'll cause some issues, yes. So you need to back up all the CA information on the old server, remove that server from the domain, join the new server to the domain, then restore data. Since your new server is already on the domain, that does present some issues. Theoretically, you could remove the old server and CA infrastructure from the domain and then install Certificate Services on the other server without too much issue. It would, however, require you to re-issue all of your certificates.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 37721099
For information, the reason the old and new servers need to have the same name is because the new server will effectively take ownership of the old server's Root CA Certificate. The validity of that certificate and all certificates created by the new server rely on the computer name, so in order for all the existing certificates to remain valid you have the have the same name on the old and new servers.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721114
As both servers have different names does this now mean I will have to rename the new one to be the same name as the old server?

Or will I just have to re-issue all of the certificates again?
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 125 total points
ID: 37721118
Yes it's true. The destination server need to have the same name as the server you are migrating from.

It's not recomended to place the CS role on a DC. The ADCS role will become dependant on the ADDS role. It will work but if you like to demote a DC, you can't as long as it is a CA.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 37721156
It depends on how you want to change things. If you change the server's name, you'll have to do some work in DNS to correct the changed Domain Controller name. There's a lot of work associated with changing the name of a Domain Controller. If you have another DC and this is a secondary, you can just demote the server, rename it, install CS, then promote it back to DC if you need that server to be a DC. If it's the only DC you have, you're going to run into a lot of problems renaming it. As was mentioned, there are also issues with having CS on a DC. If you have additional hardware or can build a VM (very possible and I think free when you have a Datacenter edition of Windows and Hyper-V) the migration is much easier.

If you don't mind re-issuing all of your certs, you can remove the old CA and just build a new CA on whatever server you want.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721199
The Company is quite small and we dont have that many Certificates so I will proberly just install the AD CS onto another Server on the Domain and then re-issueing Certificates on the new CA.
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37721428
Hi,

Should I remove the old Ca before installing another Root Ca into the Domain?

Also do I need to change any settings for the machines in the domain to use the new CA or will the auto pick them up?
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 37721438
http://support.microsoft.com/kb/889250 has info on decommissioning a Root CA. you'll want to decommission the old one before bringing the new one online.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37724449
I disagree with the statement about CA moves and the need to keep the same machine name.

Important  
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
 
Note  
By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.  

You can find it under the section "Migrate the CA to a New Host"
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx

Full article starts here:
http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Contigo1
ID: 37724732
Hi,

As we dont have many Certificates on our Existing CA we have decided to remove the old one and then install AD CS on the new server.

On the old server before I remove AD CS should I revoke all of the Certificates on it so that everything will be forced to pickup new Certificates from the new CA?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 125 total points
ID: 37724850
Yes you would revoke all the certificates, there are actually a  couple of actions that needs to be completed during the removal.
http://support.microsoft.com/kb/889250

Previously answer question about a crashed CA:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27626720.html
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SYSLOG message format 3 40
Can't a Exchange 2010 snap-in in PowerShell script 25 11
Sonicwall blocks a site 49 46
SYSVOL not replicating 10 44
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now