ITdiamond
asked on
Can I migrate Enterprise Root CA during the day, or is this an after hours project?
I need to move my Root CA off of a 2003 R2 Domain controller and onto a 2008 R2 domain member server.
Because the new server has a different name than the old server, I am going to try the steps outlined in this article:
http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/
I've read through it and its pretty straightforward. I've backed up the 2003 R2 CA database and exported the registry. I'm at the step where I am to uninstall the CA role from the 2003 server.
HOWEVER, my question is, if I do this during the work day, wouldn't things break? I think the main purpose of the CA in our environment has to do with PEAP / wireless 802.1x authentication which right now 2003 IAS and 2008 NPS can both authenticate and handle these RADIUS requests from our Cisco WLC.
Nowhere do any of these article or even the Microsoft articles state "WARNING: Do this after hours!!!" So what would you do?
Because the new server has a different name than the old server, I am going to try the steps outlined in this article:
http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/
I've read through it and its pretty straightforward. I've backed up the 2003 R2 CA database and exported the registry. I'm at the step where I am to uninstall the CA role from the 2003 server.
HOWEVER, my question is, if I do this during the work day, wouldn't things break? I think the main purpose of the CA in our environment has to do with PEAP / wireless 802.1x authentication which right now 2003 IAS and 2008 NPS can both authenticate and handle these RADIUS requests from our Cisco WLC.
Nowhere do any of these article or even the Microsoft articles state "WARNING: Do this after hours!!!" So what would you do?
ASKER
You are probobly right Spec01.
I'm just studying the procedure and ensuring all my backups are in place for now. I will wait until everyone leaves tonight to try this change.
The only thing that it might affect is authentication to the wireless network. I'm not 100% sure though because the CA was put in place to generate the certificate for that. The certificate has long been generated and is applied to clients and both the IAS server and NPS server (NPS takes over if IAS is down - eventually we will decommision IAS as it is Server 2003).
I'm just studying the procedure and ensuring all my backups are in place for now. I will wait until everyone leaves tonight to try this change.
The only thing that it might affect is authentication to the wireless network. I'm not 100% sure though because the CA was put in place to generate the certificate for that. The certificate has long been generated and is applied to clients and both the IAS server and NPS server (NPS takes over if IAS is down - eventually we will decommision IAS as it is Server 2003).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Since I am moving it to a new server with a different name, to play it safe I think I will heed Spec01's advice.
Spaperov, good article and thanks for you input. I have to keep the current server online for a few more weeks as there are other services that will also need to be migrating off of it (DHCP, DNS). Eventually it will be demoted and reformatted with 2008 R2.
This is part of a 2003 to 2008 R2 domain migration. I'm migrating stuff into virtual servers in VMWare, but when finished I will repurpase the current 2003 DC as a physical 2008 R2 DC so "all eggs are not in one basket".
Thanks everyone!
Spaperov, good article and thanks for you input. I have to keep the current server online for a few more weeks as there are other services that will also need to be migrating off of it (DHCP, DNS). Eventually it will be demoted and reformatted with 2008 R2.
This is part of a 2003 to 2008 R2 domain migration. I'm migrating stuff into virtual servers in VMWare, but when finished I will repurpase the current 2003 DC as a physical 2008 R2 DC so "all eggs are not in one basket".
Thanks everyone!
If you have gone through this procedure plenty of times and you know for a fact that "nothing" will break then fine.
I just know that if something does break and several/all users cannot connect etc it is much easier to solve an issue without that much pressure.
Hope this helps!