CA Migration from 2003 to 2008

I had a 2003 network that was upgraded to 2008. The only 2003 server left is a domain controller which also is the CA for the domain. I need to move the CA to a 2008 server and decommission the 2003 server. I have 2 domain controllers and a member server that is running SQL services. I cannot rename any of the servers due to the current infrastructure. Can anyone point me in the direction of how to accomplish this and any suggestions as to whether I should install on one of the DC's or install on the member server. The new servers all have unique names.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
If you can't rename the new server to be the same as the old server, you can't actually migrate while keeping your existing Key Infrastructure. You would need to decommission the CA Services on the old servers and install a new CA and re-issue your certificates.
If you want your existing certificate infrastructure working then I would suggest you to Export the CA configuration, DCpromo the server, upgrade the 2003 server to 2008 (perform a fresh install if you want) keep the name of the server same as before. DCpromo again and then Import the configuration.
You HAVE to keep the new 2008 server name same as the existing 2003 CA server, else nothing will work. You can refer to the following link for the steps for migration:

Link : Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008

Make sure that you take a Full Backup of the server and only after that proceed with the migration.
Syed_M_UsmanSystem AdministratorCommented:
i am not the expert in CA migration but i would suggest not to install CA on DC,,, for following reason

1-Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.
2- If you want to publish your CRLs externally, that DC will be internet facing and this could be a very big security risk

3-If you want to decommission the Domain Controller (for any reason), first you will have to go through the procedure of moving the CA before decommissioning.
Good luck....
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

syed_M_Usman is correct - it is not advisable anymore to install CA's on domain controllers.  They should be their own member server.

We started a new certificate infrastrucutre when upgrading to 2008, age and revoke the old one out.  Its nice and clean that way :)
Leon FesterSenior Solutions ArchitectCommented:
Check instructions from Microsoft:
How to upgrade/migrate a CA.
It covers the following scenarios:

Hardware change
Host name change
CA type change
Domain membership change
Move a CA on a domain controller to a CA on a domain member (demoting a domain controller)
Move a CA on a domain controller to a CA on a different computer (migrating a CA)
In-place upgrade of Windows Server 2003 to Windows Server 2008
In-place upgrade from Windows Server 2008 Standard to Windows Server 2008 Enterprise
CNEAdminAuthor Commented:
Rafter81 what do you mean you started a new certificate infrastructure? You revoked all outstanding certs and installed the CA role on a new server without restoring any certs? I have attached an image of the current issued certs. Maybe this will help with which way I should proceed. The certificate for the 2010 Exchange server is self-issued and not from the current CA. I have not worked with CA extensively and am hesitant to move forward as I do not know what I could possible break. Should this be done over a weekend as well instead of during normal operating hours?
Adam BrownSr Solutions ArchitectCommented:
Replacing your CA Infrastructure won't *break* anything, really. It will just invalidate the existing certificates (except for self-signed and third party) and they'll need to be re-issued using the new infrastructure. The purpose of a CA is to have a certified source of certificates that is able to verify the identity of the servers that use its certificates. Having an invalid certificate won't break anything. SSL and TLS still work if the SSL certificate is invalid. It's just that you'll end up getting warnings when you attempt to establish a secure connection.
CNEAdminAuthor Commented:
So doing this during normal business hours will not bring the network down and could possibly just throw an alert for workstations connecting back to the server? Thanks again for the information. Love EE!
Adam BrownSr Solutions ArchitectCommented:
It'll probably confuse your users a little bit, but they just have to click okay on any certificate warnings and things will work as normal.
CNEAdminAuthor Commented:
Thanks I will look at working through this next week.
Yeah you will be fine as long as you don't use certificates for authentication (i.e wifi) or anything like that.  If you did, then you could setup the new CA, get that distributing the certs you need, then transfer your authentication over to this and revoke and decommison the old. Otherwise, if they are just web certs the user may get an "issue with this cert" warning but nothing major.  LDAP using SSL domain certs may ofcause stop particular LDAP functions, but again it depends if your using these, which not a lot of people do.
You won't break anything by bringing the new one online!
CNEAdminAuthor Commented:
Based on rafter81's comments, is it necessary to have a CA in an enterprise domain if the only certs being used are those for Exchange and OWA? Meaning could I just decommission the current CA and not have to bother with setting a new one? I remember a best practice from MCSE 2003 was you could build a CA, create an image then put the image in a safe and take the physical CA offline only pulling it out when necessary to publish new certs. I may be a little off as that was around 6 years ago but I believe that is the method our instructor indicated is acceptable.
If your just using for OWA etc wouldn't you be better off with a third party signed cert, i.e or alike?  Saves the hassle of setting up your own CA and would mean certified offsite use with browsers..
CNEAdminAuthor Commented:
Ok that being said could I get away without a CA on premises?
Leon FesterSenior Solutions ArchitectCommented:
Yes you can get away without having a CA on your domain.
But you may get some loss of functionality relating to secured services/devices.
If you have no dependancy/requirements for PKI then you can remove the CA.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.