Solved

CA Migration from 2003 to 2008

Posted on 2012-03-19
17
50 Views
Last Modified: 2015-05-26
I had a 2003 network that was upgraded to 2008. The only 2003 server left is a domain controller which also is the CA for the domain. I need to move the CA to a 2008 server and decommission the 2003 server. I have 2 domain controllers and a member server that is running SQL services. I cannot rename any of the servers due to the current infrastructure. Can anyone point me in the direction of how to accomplish this and any suggestions as to whether I should install on one of the DC's or install on the member server. The new servers all have unique names.
0
Comment
Question by:CNEAdmin
  • 5
  • 3
  • 3
  • +4
17 Comments
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
If you can't rename the new server to be the same as the old server, you can't actually migrate while keeping your existing Key Infrastructure. You would need to decommission the CA Services on the old servers and install a new CA and re-issue your certificates.
0
 
LVL 7

Expert Comment

by:ashutoshsapre
Comment Utility
If you want your existing certificate infrastructure working then I would suggest you to Export the CA configuration, DCpromo the server, upgrade the 2003 server to 2008 (perform a fresh install if you want) keep the name of the server same as before. DCpromo again and then Import the configuration.
 
You HAVE to keep the new 2008 server name same as the existing 2003 CA server, else nothing will work. You can refer to the following link for the steps for migration:

Link : Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008

Make sure that you take a Full Backup of the server and only after that proceed with the migration.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
Comment Utility
i am not the expert in CA migration but i would suggest not to install CA on DC,,, for following reason

1-Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.
 
2- If you want to publish your CRLs externally, that DC will be internet facing and this could be a very big security risk

3-If you want to decommission the Domain Controller (for any reason), first you will have to go through the procedure of moving the CA before decommissioning.
 
Good luck....
0
 
LVL 3

Expert Comment

by:rafter81
Comment Utility
syed_M_Usman is correct - it is not advisable anymore to install CA's on domain controllers.  They should be their own member server.

We started a new certificate infrastrucutre when upgrading to 2008, age and revoke the old one out.  Its nice and clean that way :)
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
Check instructions from Microsoft:
How to upgrade/migrate a CA.
http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx
It covers the following scenarios:

Hardware change
Host name change
CA type change
Domain membership change
Move a CA on a domain controller to a CA on a domain member (demoting a domain controller)
Move a CA on a domain controller to a CA on a different computer (migrating a CA)
In-place upgrade of Windows Server 2003 to Windows Server 2008
In-place upgrade from Windows Server 2008 Standard to Windows Server 2008 Enterprise
0
 

Author Comment

by:CNEAdmin
Comment Utility
Rafter81 what do you mean you started a new certificate infrastructure? You revoked all outstanding certs and installed the CA role on a new server without restoring any certs? I have attached an image of the current issued certs. Maybe this will help with which way I should proceed. The certificate for the 2010 Exchange server is self-issued and not from the current CA. I have not worked with CA extensively and am hesitant to move forward as I do not know what I could possible break. Should this be done over a weekend as well instead of during normal operating hours?
Capture.PNG
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Replacing your CA Infrastructure won't *break* anything, really. It will just invalidate the existing certificates (except for self-signed and third party) and they'll need to be re-issued using the new infrastructure. The purpose of a CA is to have a certified source of certificates that is able to verify the identity of the servers that use its certificates. Having an invalid certificate won't break anything. SSL and TLS still work if the SSL certificate is invalid. It's just that you'll end up getting warnings when you attempt to establish a secure connection.
0
 

Author Comment

by:CNEAdmin
Comment Utility
So doing this during normal business hours will not bring the network down and could possibly just throw an alert for workstations connecting back to the server? Thanks again for the information. Love EE!
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
It'll probably confuse your users a little bit, but they just have to click okay on any certificate warnings and things will work as normal.
0
 

Author Comment

by:CNEAdmin
Comment Utility
Thanks I will look at working through this next week.
0
 
LVL 3

Expert Comment

by:rafter81
Comment Utility
Yeah you will be fine as long as you don't use certificates for authentication (i.e wifi) or anything like that.  If you did, then you could setup the new CA, get that distributing the certs you need, then transfer your authentication over to this and revoke and decommison the old. Otherwise, if they are just web certs the user may get an "issue with this cert" warning but nothing major.  LDAP using SSL domain certs may ofcause stop particular LDAP functions, but again it depends if your using these, which not a lot of people do.
You won't break anything by bringing the new one online!
0
 

Author Comment

by:CNEAdmin
Comment Utility
Based on rafter81's comments, is it necessary to have a CA in an enterprise domain if the only certs being used are those for Exchange and OWA? Meaning could I just decommission the current CA and not have to bother with setting a new one? I remember a best practice from MCSE 2003 was you could build a CA, create an image then put the image in a safe and take the physical CA offline only pulling it out when necessary to publish new certs. I may be a little off as that was around 6 years ago but I believe that is the method our instructor indicated is acceptable.
0
 
LVL 3

Expert Comment

by:rafter81
Comment Utility
If your just using for OWA etc wouldn't you be better off with a third party signed cert, i.e comodo.com or alike?  Saves the hassle of setting up your own CA and would mean certified offsite use with browsers..
0
 

Author Comment

by:CNEAdmin
Comment Utility
Ok that being said could I get away without a CA on premises?
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
Comment Utility
Yes you can get away without having a CA on your domain.
But you may get some loss of functionality relating to secured services/devices.
If you have no dependancy/requirements for PKI then you can remove the CA.

http://www.petri.co.il/what_is_a_public_key_infrastructure_pki.htm
http://www.windowsecurity.com/articles/microsoft-pki-quick-guide-part1.html
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now