polarstar
asked on
Do I need to migrate our CA?
We are in the process of retiring our last 2003 DC so that we can move to a 2008 DFL and FFL. In attempting to demote our 2003 DC it is telling me that I need to remove the CA from it. No one is quite sure why we have a CA installed, I am not sure we are using it at all. I have pulled the current active certs issued by it, and they are mostly EFS and a few DC certs. Question that I have is two fold:
1. Is it in our best interest to migrate this over to the new 2008 DC, following this guide?
http://technet.microsoft.com/en-us/library/ee126140%28WS.10%29.aspx#BKMK_AddCAbySM
Or, can I simply remove CS from 2003 and create a new one in 2008 and request new certs for all of these things?
2. Do we in fact actually need a CA for normal DC communications? My understanding is no, we do not. And unless we want to issue certs for things or request EFS certs, it is not needed, and I can simply remove CS from this and not even bother setting it up on the new one.
Thank you for your time,
Polarstar
certs.PNG
1. Is it in our best interest to migrate this over to the new 2008 DC, following this guide?
http://technet.microsoft.com/en-us/library/ee126140%28WS.10%29.aspx#BKMK_AddCAbySM
Or, can I simply remove CS from 2003 and create a new one in 2008 and request new certs for all of these things?
2. Do we in fact actually need a CA for normal DC communications? My understanding is no, we do not. And unless we want to issue certs for things or request EFS certs, it is not needed, and I can simply remove CS from this and not even bother setting it up on the new one.
Thank you for your time,
Polarstar
certs.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Backed up the CA and removed it yesterday. Got about three or four KDC errors. But nothing major.
If you already have a win2k8 hyper-v, you can virtualized the root CA server and restore it from the backup.
While there are few certs issued, I would not risk the possibility that the removal of the CA may have an adverse impact on the environment.