[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Can I migrate Enterprise Root CA during the day, or is this an after hours project?

Posted on 2012-08-24
Medium Priority
Last Modified: 2012-08-24
I need to move my Root CA off of a 2003 R2 Domain controller and onto a 2008 R2 domain member server.

Because the new server has a different name than the old server, I am going to try the steps outlined in this article:

I've read through it and its pretty straightforward.  I've backed up the 2003 R2 CA database and exported the registry.  I'm at the step where I am to uninstall the CA role from the 2003 server.  

HOWEVER, my question is, if I do this during the work day, wouldn't things break?  I think the main purpose of the CA in our environment has to do with PEAP / wireless 802.1x authentication which right now 2003 IAS and 2008 NPS can both authenticate and handle these RADIUS requests from our Cisco WLC.

Nowhere do any of these article or even the Microsoft articles state "WARNING: Do this after hours!!!"  So what would you do?
Question by:ITdiamond
  • 2
  • 2
LVL 53

Expert Comment

by:Will Szymkowski
ID: 38330155
As i always like to say "Ounce of prevention, Pound of Cure". From personal experience, if I have never made a specific change before in a production environment and I don't know exactly how the outcome will be I would always recommend doing something like this after hours.

If you have gone through this procedure plenty of times and you know for a fact that "nothing" will break then fine.

I just know that if something does break and several/all users cannot connect etc it is much easier to solve an issue without that much pressure.

Hope this helps!

Author Comment

ID: 38330182
You are probobly right Spec01.

I'm just studying the procedure and ensuring all my backups are in place for now.  I will wait until everyone leaves tonight to try this change.

The only thing that it might affect is authentication to the wireless network.  I'm not 100% sure though because the CA was put in place to generate the certificate for that.  The certificate has long been generated and is applied to clients and both the IAS server and NPS server (NPS takes over if IAS is down - eventually we will decommision IAS as it is Server 2003).
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 200 total points
ID: 38330223
It’s a very good article.

I did a similar migration during the work hours without any problems. The only difference was I did keep the same server name as recommended by Microsoft. You can find the steps I performed here: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27052731.html

The issue you will probably have with replacing the name of the server is reissuing of the certificates.

Good luck!
LVL 53

Accepted Solution

Will Szymkowski earned 800 total points
ID: 38330225
The document that you have posted looks good and should do the trick. Operations from a System chagne stand point can seem quite strightforward. It's usually an unidentified item specific to an organization which will cause any issues.

I would do it after hours to be on the safeside.


Author Comment

ID: 38330268
Since I am moving it to a new server with a different name, to play it safe I think I will heed Spec01's advice.

Spaperov, good article and thanks for you input.  I have to keep the current server online for a few more weeks as there are other services that will also need to be migrating off of it (DHCP, DNS).  Eventually it will be demoted and reformatted with 2008 R2.

This is part of a 2003 to 2008 R2 domain migration.  I'm migrating stuff into virtual servers in VMWare, but when finished I will repurpase the current 2003 DC as a physical 2008 R2 DC so "all eggs are not in one basket".

Thanks everyone!

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question