?
Solved

Do I need to migrate our CA?

Posted on 2013-06-27
3
Medium Priority
?
344 Views
Last Modified: 2013-06-28
We are in the process of retiring our last 2003 DC so that we can move to a 2008 DFL and FFL. In attempting to demote our 2003 DC it is telling me that I need to remove the CA from it. No one is quite sure why we have a CA installed, I am not sure we are using it at all. I have pulled the current active certs issued by it, and they are mostly EFS and a few DC certs. Question that I have is two fold:

1. Is it in our best interest to migrate this over to the new 2008 DC, following this guide?

http://technet.microsoft.com/en-us/library/ee126140%28WS.10%29.aspx#BKMK_AddCAbySM

Or, can I simply remove CS from 2003 and create a new one in 2008 and request new certs for all of these things?

2. Do we in fact actually need a CA for normal DC communications? My understanding is no, we do not. And unless we want to issue certs for things or request EFS certs, it is not needed, and I can simply remove CS from this and not even bother setting it up on the new one.

Thank you for your time,

Polarstar
certs.PNG
0
Comment
Question by:polarstar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 40

Accepted Solution

by:
footech earned 1500 total points
ID: 39283085
If the certs are being used you can make a case for migrating it.  Since you don't seem to have that many, it'd probably be about the same amount of work to migrate as it would to set up a new one and issue certs.

No, certs are not needed for basic DC communications.

People can still use EFS without a CA set up, they just use a self-signed cert instead.  If I remember right, the advantage of having the CA in this case is to be able to recover by an admin.  I'm not familiar enough with the feature to be able to describe it very well.

I noticed web server certs in your screenshot, those are probably the ones I take the closest look at for usage.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39283296
You can backup the existing cA, and then restore it on a win2k8 ca.
If you already have a win2k8 hyper-v, you can virtualized the root CA server and restore it from the backup.

While there are few certs issued, I would not risk the possibility that the removal of the CA may have an adverse impact on the environment.
0
 

Author Closing Comment

by:polarstar
ID: 39284738
Backed up the CA and removed it yesterday. Got about three or four KDC errors. But nothing major.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses
Course of the Month15 days, 14 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question