Moving / Removing CA Role

Note: I took over this network 3 months ago so I have very little history or reasoning behind my findings, so keep that in mind.

I need to remove a Windows 2008 Standard 32-Bit AD DC server from our domain so I can migrate to 2012 (all must be 64 bit).  This server has the Certificate Authority (Local) role and there are active certs on the system.  Is it really just as simple as backing up the CA, installing CA on another server and restoring the backup after shutting down the original?

There is a CAROOT, CAISSUE and CACRL Windows 2008 servers already in place, but they are not AD DC's.

If I look at the issued certs for CAROOT they are all expired and it has not issued anything new since 2012. The Failed Requests are very old and nothing new there.

If I look at the issued certs for CAISSUE it has not issued a cert since 2012. However, it has alot of failed requests that are recent for the reason "A required certificate is not within its validity period when verifying against the current system clock of the timestamp in the signed file"

If I look at the CACRL server it appears to be just the web-front end.

Any help is appreciated, I'm willing to do an online session if someone wants to go that far to help.
LVL 5
netbonesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
First thing first, windows 2008 and 2012 can coexist. DC functionality is not dependent on 32/64 bit.i.e. A mix of 32 and 64 bit DC are fine.
Are you considering virtualizing?
Yes backup/restore of the CA is the general process of transferring .... You could demote the win2k8 if you want your DC's to operate in 2012 forest/domain level. You can then virtualized the win2k8 CA and only bring it online when the issuing/intermediary/issuing CAs reach their certificate expiration dates I.e.
 Root CA 10 year cert
 Intermediate/subordinate/issuing CAs 5 year certificates
Any other certificate being issued, 1/2 year certificates

Every 7-8 years the root CA should be renewed. Whether you use the same key or a new key will deal with what your preference, at times, the recommendation is to use a new key after two renewals. I.e. Root CA will use a new key every 14-16 years. Intermediate/subordinate/issuing CAs will use a new key every 6-8 years.
Any other will depend on preference.


A CA can only issue certificates up until its own expiration date.
Is the win2k8's CA certificate is still valid?
Renew the certificate on the root CA.  Then you should be able to renew the certificates on the intermediaries/issuing CAs.
0
Leon FesterSenior Solutions ArchitectCommented:
I need to remove a Windows 2008 Standard 32-Bit AD DC server from our domain so I can migrate to 2012 (all must be 64 bit).
First add the Windows 2012 DC's to the existing 2008 domain before removing any of the existing 2008 DC's. It's the simplest way to do the upgrade.

Is it really just as simple as backing up the CA, installing CA on another server and restoring the backup after shutting down the original?

Yes, The process to transfer CA roles is pretty simple. But not quite as simple as shutting down the old server. See instructions for CA migration.
http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

There is a CAROOT, CAISSUE and CACRL Windows 2008 servers already in place, but they are not AD DC's.

It is preferred that the CA role is not installed on the DC. So that shouldn't be too much of a concern.

It is possible that these CA's are setup for local developer and testing certs. I've done similar for development companies so that they can issue their own certs without impacting on production or waiting for service requests to be completed.

Follow the migration guide posted above and get the CA moved first.

That makes it easier to find out what is in use and what is just old/redundant/unused CA Servers. Then look at any remaining issues as a separate task.
0
Svet PaperovIT ManagerCommented:
There is a simple procedure for moving a Windows CA server to another machine. The most important point is keeping the same computer name as the old one. It would be wise if you move them to a Virtual machine that is not AD DC in the same time.

Here is the procedure I have used to move the Root CA from a 2003 to 2008 R2: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27052731.html#a35809229

If you need to know more about Windows Certification Authority, the following Microsoft book is the best tool in my opinion http://www.microsoft.com/learning/en-us/book.aspx?id=9549&locale=en-us (covering 2008 CA) or go to the Microsoft TechNet site about AD CS http://technet.microsoft.com/en-us/windowsserver/dd448615.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.