Can I migrate Enterprise Root CA during the day, or is this an after hours project?

Posted on 2012-08-24
Last Modified: 2012-08-24
I need to move my Root CA off of a 2003 R2 Domain controller and onto a 2008 R2 domain member server.

Because the new server has a different name than the old server, I am going to try the steps outlined in this article:

I've read through it and its pretty straightforward.  I've backed up the 2003 R2 CA database and exported the registry.  I'm at the step where I am to uninstall the CA role from the 2003 server.  

HOWEVER, my question is, if I do this during the work day, wouldn't things break?  I think the main purpose of the CA in our environment has to do with PEAP / wireless 802.1x authentication which right now 2003 IAS and 2008 NPS can both authenticate and handle these RADIUS requests from our Cisco WLC.

Nowhere do any of these article or even the Microsoft articles state "WARNING: Do this after hours!!!"  So what would you do?
Question by:ITdiamond
    LVL 53

    Expert Comment

    by:Will Szymkowski
    As i always like to say "Ounce of prevention, Pound of Cure". From personal experience, if I have never made a specific change before in a production environment and I don't know exactly how the outcome will be I would always recommend doing something like this after hours.

    If you have gone through this procedure plenty of times and you know for a fact that "nothing" will break then fine.

    I just know that if something does break and several/all users cannot connect etc it is much easier to solve an issue without that much pressure.

    Hope this helps!

    Author Comment

    You are probobly right Spec01.

    I'm just studying the procedure and ensuring all my backups are in place for now.  I will wait until everyone leaves tonight to try this change.

    The only thing that it might affect is authentication to the wireless network.  I'm not 100% sure though because the CA was put in place to generate the certificate for that.  The certificate has long been generated and is applied to clients and both the IAS server and NPS server (NPS takes over if IAS is down - eventually we will decommision IAS as it is Server 2003).
    LVL 20

    Assisted Solution

    by:Svet Paperov
    It’s a very good article.

    I did a similar migration during the work hours without any problems. The only difference was I did keep the same server name as recommended by Microsoft. You can find the steps I performed here:

    The issue you will probably have with replacing the name of the server is reissuing of the certificates.

    Good luck!
    LVL 53

    Accepted Solution

    The document that you have posted looks good and should do the trick. Operations from a System chagne stand point can seem quite strightforward. It's usually an unidentified item specific to an organization which will cause any issues.

    I would do it after hours to be on the safeside.


    Author Comment

    Since I am moving it to a new server with a different name, to play it safe I think I will heed Spec01's advice.

    Spaperov, good article and thanks for you input.  I have to keep the current server online for a few more weeks as there are other services that will also need to be migrating off of it (DHCP, DNS).  Eventually it will be demoted and reformatted with 2008 R2.

    This is part of a 2003 to 2008 R2 domain migration.  I'm migrating stuff into virtual servers in VMWare, but when finished I will repurpase the current 2003 DC as a physical 2008 R2 DC so "all eggs are not in one basket".

    Thanks everyone!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now