arakis
asked on
Windows CA Removal & Re-installation
Hi All,
We have a Windows 2008 CA server which we intend to remove and re-install CA onto a 2012 box.
Decided to go for non-migration approach as new server will have different name to existing server and we don't particularly like the naming scheme of the existing root-ca.
Can currently see certificates issued for Basic EFS, SubCA, Domain Controller, User and WebServer so would someone be able to check my logic on the list below and confirm if I'm wrong?
1. Basic EFS - Only a problem if the users have encrypted files. I've checked and they haven't
2. SubCA - Can be replaced. (in our case only issued to one device for SSL passthrough)
3. Domain Controller - Auto enrolled so if not available will not be a problem. Once new CA setup new certs will be auto-created.
4. User - In our case only issued for a few users and can be replaced.
5. Webservers - Can be replaced.
My main concern is the certs issued to the Domain Controllers - is my point 3. correct?
Our plan is as follows - backup existing CA, uninstall on 2008 box, add roles on 2012 box creating new root CA.
Would appreciate any advice from someone who has carried out a similar task or can see a glaring mistake I'm about to make.
Thanks,
R
We have a Windows 2008 CA server which we intend to remove and re-install CA onto a 2012 box.
Decided to go for non-migration approach as new server will have different name to existing server and we don't particularly like the naming scheme of the existing root-ca.
Can currently see certificates issued for Basic EFS, SubCA, Domain Controller, User and WebServer so would someone be able to check my logic on the list below and confirm if I'm wrong?
1. Basic EFS - Only a problem if the users have encrypted files. I've checked and they haven't
2. SubCA - Can be replaced. (in our case only issued to one device for SSL passthrough)
3. Domain Controller - Auto enrolled so if not available will not be a problem. Once new CA setup new certs will be auto-created.
4. User - In our case only issued for a few users and can be replaced.
5. Webservers - Can be replaced.
My main concern is the certs issued to the Domain Controllers - is my point 3. correct?
Our plan is as follows - backup existing CA, uninstall on 2008 box, add roles on 2012 box creating new root CA.
Would appreciate any advice from someone who has carried out a similar task or can see a glaring mistake I'm about to make.
Thanks,
R
ASKER
Hi Mahesh,
Thanks for the feedback.
Are you certain you can have two CA Roots in the same AD? I thought you could only have one root CA role per AD domain?
Thanks again,
R.
Thanks for the feedback.
Are you certain you can have two CA Roots in the same AD? I thought you could only have one root CA role per AD domain?
Thanks again,
R.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Mahesh,
OK thanks for the pointers. I will setup the new 2012Root CA before decommissioning the old one.
Thanks again,
R.
OK thanks for the pointers. I will setup the new 2012Root CA before decommissioning the old one.
Thanks again,
R.
There is no dependency between CA servers.
In case of basic EFS, I suggest you to export those certificates with private key prior to demotion of windows 2008 CA as a safety measure.
In case of Domain Conntrollers auto enrolled certificates, new CA will take care of them if it is AD integrated.
you can revoke existing DC certificates if wanted to prior to demotion of 2008 CA OR you can simply delete those certificates from domain controllers post CA demotion.
Your plan seems to be perfect.
I have migrated windows 2008 CA to Windows 2012 server by keeping same hostname and obviously without changing CA name (You cannot change CA name).
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope that helps