Solved

migrate Certificate autority to different server

Posted on 2013-01-04
7
647 Views
Last Modified: 2013-01-06
I want to migrate my CA - windows 2003R2 to the new server with different name, preferable windows 2008 or windows 2012. Could you tell me Is this  possible and how to do it.
I already tried searching in the net about some articles but all of them are giving the instruction how to move to different server with the same name.  In all of the instructions is written change the name of the old one and use the name in the new server.
Here is one of the article direct from microsoft.
http://support.microsoft.com/kb/298138.

Also do you have any problem migrating from 32bit to 64bit windows.
According to the article :"Moving Certificate Services from a 32-bit operating system to a 64-bit operating system or vice-versa may fail with one of the following error messages"
Which let me to think that windows 2008R2 and windows 2012 are only 64bit, and my windows 2003R2 is 32bit.
0
Comment
Question by:dedri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 38743962
0
 
LVL 20

Expert Comment

by:Svet Paperov
ID: 38744828
Yes, it’s possible. I’ve already done it: moved Root CA from Windows Server 2003 Enterprise to Windows Server 2008 R2 Enterprise.

The most important step, if you want to keep your issued certificates, is to reuse the computer name.

Please, see my accepted solution below:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27052731.html
0
 

Author Comment

by:dedri
ID: 38745510
spaperov, the problem is that there is a lot of roles on this server - it's a domain controller,certificate authority server, dns server,etc..
My intention is to move the the roles to different server, and because the name of the server is domaincontroller1.mycompany.com I decided to move the CA role to different server.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 20

Expert Comment

by:Svet Paperov
ID: 38745745
From the link http://support.microsoft.com/kb/298138 you mentioned in your question:
Note: The new server must have the same computer name as the old server.

If you don’t want to keep the same computer name, it will be like setting up a completely new CA for your domain. That means you will have to reissue and replace all certificates from the previous CA and, once the old CA has been removed, the applications won’t be able to validate the old certificates.

What is the CA used for?
0
 

Author Comment

by:dedri
ID: 38746564
it's used mainly for web server certificates for our  internal web  servers.
0
 
LVL 20

Accepted Solution

by:
Svet Paperov earned 450 total points
ID: 38746761
Then you are safe to replace the CA. However, you will have to decommission the old CA first before setting up the new one. I’ve never done it, but this might help: http://support.microsoft.com/kb/889250

Some suggestions about the new CA:
•      Install it on a dedicated server and select the name carefully; do not mix it with Domain controllers or other roles
•      Deploy the Root CA as a virtual server in your favorite virtual environment: you won’t be required to migrate the CA often – you could just move the VM from one server to another; Microsoft publishes security updates for at least 10 years after the lifecycle start date http://support.microsoft.com/lifecycle/
•      If you select Windows Server 2008, use Enterprise edition to have all features available
•      Windows Server 2012 may be better and less expensive solution because all CA features are now available with all editions, including Essentials (there are some limitations in the lower-than-standard editions, so you might want to verify that with your sales representative)  

http://www.techrepublic.com/blog/networking/deploy-a-private-ca-with-windows-server-2012/6043
http://technet.microsoft.com/en-us/library/hh831740.aspx


The name of the server is very important in case you want to implement digital signatures and encryption in the future.
0
 
LVL 5

Assisted Solution

by:balmasri
balmasri earned 50 total points
ID: 38746790
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question