CA Migration from 2003 to 2008

If you can't rename the new server to be the same as the old server, you can't actually migrate while keeping your existing Key Infrastructure. You would need to decommission the CA Services on the old servers and install a new CA and re-issue your certificates.

If you want your existing certificate infrastructure working then I would suggest you to Export the CA configuration, DCpromo the server, upgrade the 2003 server to 2008 (perform a fresh install if you want) keep the name of the server same as before. DCpromo again and then Import the configuration.
 
You HAVE to keep the new 2008 server name same as the existing 2003 CA server, else nothing will work. You can refer to the following link for the steps for migration:

Link : Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008

Make sure that you take a Full Backup of the server and only after that proceed with the migration.

i am not the expert in CA migration but i would suggest not to install CA on DC,,, for following reason

1-Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.
 
2- If you want to publish your CRLs externally, that DC will be internet facing and this could be a very big security risk

3-If you want to decommission the Domain Controller (for any reason), first you will have to go through the procedure of moving the CA before decommissioning.
 
Good luck....

syed_M_Usman is correct - it is not advisable anymore to install CA's on domain controllers.  They should be their own member server.

We started a new certificate infrastrucutre when upgrading to 2008, age and revoke the old one out.  Its nice and clean that way :)

Check instructions from Microsoft:
How to upgrade/migrate a CA.
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx
It covers the following scenarios:

Hardware change
Host name change
CA type change
Domain membership change
Move a CA on a domain controller to a CA on a domain member (demoting a domain controller)
Move a CA on a domain controller to a CA on a different computer (migrating a CA)
In-place upgrade of Windows Server 2003 to Windows Server 2008
In-place upgrade from Windows Server 2008 Standard to Windows Server 2008 Enterprise

Rafter81 what do you mean you started a new certificate infrastructure? You revoked all outstanding certs and installed the CA role on a new server without restoring any certs? I have attached an image of the current issued certs. Maybe this will help with which way I should proceed. The certificate for the 2010 Exchange server is self-issued and not from the current CA. I have not worked with CA extensively and am hesitant to move forward as I do not know what I could possible break. Should this be done over a weekend as well instead of during normal operating hours?
Capture.PNG

Replacing your CA Infrastructure won't *break* anything, really. It will just invalidate the existing certificates (except for self-signed and third party) and they'll need to be re-issued using the new infrastructure. The purpose of a CA is to have a certified source of certificates that is able to verify the identity of the servers that use its certificates. Having an invalid certificate won't break anything. SSL and TLS still work if the SSL certificate is invalid. It's just that you'll end up getting warnings when you attempt to establish a secure connection.

So doing this during normal business hours will not bring the network down and could possibly just throw an alert for workstations connecting back to the server? Thanks again for the information. Love EE!

It'll probably confuse your users a little bit, but they just have to click okay on any certificate warnings and things will work as normal.

Thanks I will look at working through this next week.

Yeah you will be fine as long as you don't use certificates for authentication (i.e wifi) or anything like that.  If you did, then you could setup the new CA, get that distributing the certs you need, then transfer your authentication over to this and revoke and decommison the old. Otherwise, if they are just web certs the user may get an "issue with this cert" warning but nothing major.  LDAP using SSL domain certs may ofcause stop particular LDAP functions, but again it depends if your using these, which not a lot of people do.
You won't break anything by bringing the new one online!

Based on rafter81's comments, is it necessary to have a CA in an enterprise domain if the only certs being used are those for Exchange and OWA? Meaning could I just decommission the current CA and not have to bother with setting a new one? I remember a best practice from MCSE 2003 was you could build a CA, create an image then put the image in a safe and take the physical CA offline only pulling it out when necessary to publish new certs. I may be a little off as that was around 6 years ago but I believe that is the method our instructor indicated is acceptable.

If your just using for OWA etc wouldn't you be better off with a third party signed cert, i.e comodo.com or alike?  Saves the hassle of setting up your own CA and would mean certified offsite use with browsers..

Ok that being said could I get away without a CA on premises?

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.