Solved

Domain Contoller with Certificates of Authority needs replacing how to move

Posted on 2013-12-04
7
452 Views
Last Modified: 2013-12-30
Hello EE,

We have a DC that is our certificate holder and I now need to move these all to the new DC that will be replacing it.  I have never done this and am wondering is this the how others do it with certificates on one server (what if it crashes)?  I am going from 2003 to 2012 and any guidance how to move, setup, would be great.

thanks!
0
Comment
Question by:bergquistcompany
7 Comments
 
LVL 6

Expert Comment

by:donnk
Comment Utility
get a complete new set for the new server and leave the ones on the old server. New ones will have new names.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
You can use below guide for CA migration from 2003 to 2012
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

I am just outline high level steps here

backup 2003 CA certificate with database and its registry
uninstall CA server role from 2003
Now you can demote the server to member server
Shutdown server for time being
prepare 2012 member server \ ADC with same host as old CA (DC) server
Install CA role with existing certificate (from Certificate backup taken above) on 2012 server
Restore CA Database backup taken above from CA console on 2012 server
Check if CRL and AIA entries in active directory sites and services are appropriate as your source and destination CA server Hostname is same.

Note:Do not change CA server (ADC) Hostname otherwise your existing issued certificates will not able to check CRL
Once you are sure that new CA is working as expected, you can use old 2003 machine for else purpose with different host name.
Because if you face any issues on new CA, you can just uninstall CA from new server, rename it to some new name, start your old CA server, install CA role and just restore CA backup and you will be back in business.
Also you cannot change CA common name in AD

One suggestion: If possible, avoid installing CA server on DC so that in feature if you want to rename \ demote Dc, it pssible.
Because if you install CA on DC, you cannot rename or demote DC unless you uninstall CA server role

Mahesh
0
 
LVL 13

Expert Comment

by:Jaihunt
Comment Utility
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:bergquistcompany
Comment Utility
Is there a way to have this at an enterprise level so if machines come and go no one machine holds all the certificates so you run into thos?

Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?

I understand this appears easier then reissuing certificates under the new server name starting from scratch.  How do I confirm if my DC is a ROOT and Issuing CA as it appears there are 2 procedures for that?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?

I have mentioned in my earlier comment that you should keep new and old CA server hostname same and you cannot rename CA common name in AD
Also I mentioned there impact also if you do change CA server name

Is there a way to have this at an enterprise level so if machines come and go no one machine holds all the certificates so you run into thos?

I am not able to understand what you are trying to say?
Can you explain it please ?

lastly just open CA certificate and in certificate properties just check certificate path to understand if there is any certificate chain exists.
If you found only one certificate in chain, then it is root CA OR
if you found certificate chain, then the top most certificate is the root CA

Mahesh
0
 

Author Comment

by:bergquistcompany
Comment Utility
@donnk - what are the benefits of this?  Wouldn't we need to purchase to add to this server?

@ MaheshPM - Ok we have a standard (not enterprise root CA) so as I understand your steps of backing up, uninstalling roll, demoting and prepare new DC with same name and restore.
1. Should new machine have same name?  Want to confirm your comment v.s. video?

One question if I choose to put this on a member server as you mention best not to be on DC is it more challenging to put on machine with different name I'm guessing would be as donnk said in having a totally second copy?  Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?

CA (Local)
   CHDC1
        Revoked
         Issued
         Pending
         Failed
         Certificate Templates - could not be loaded.  Element not found.

This mean I am with stand-alone root CA?  Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
your questions:
1. Should new machine have same name?  Want to confirm your comment v.s. video?
Yes, both machine hostname should be same. This will ensure that already issued certificates remains intact as CA server hostname is hardcoded in CRL and AIA of issued certificates and if you restore CA on server having different hostname, those certificates will unable to update CRL and unable to check CA authenticity and you need to issue new certificates to them.

Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?
yes, you should restore it on 2012 member server with same hostname as old one.

This mean I am with stand-alone root CA?  Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?
Check below registry key on CA server to identify if its running Enterprise root CA or Standalone root CA
http://www.systemcentercentral.com/how-to-determine-the-type-of-certificate-authority-ca-you-have/
Because, as far as I know Standalone root CA doesn't have this folder. If you are able to see this folder, it means most probably it is enterprise CA but having some issue with templates container.
Please confirm.

Normally if you have big setup, you can deploy standalone root CA and then you can deploy multiple subordinate enterprise root CA (AD integrated) servers which will issues certificates to clients. In such cases Standalone root CA will be taken offline as a best practise and take it online only when you  want to renew subordinate CA certificates.

if you want you can deploy multiple root Certificate authorities in a given domain.
You can install combination of Standalone root CA + Enterprise root CA if wanted.

I don't think you will require offline root CA setup with enterprise subordinate root CA.
Your best option is to deploy enterprise root CA.
In your case one of the good option is to restore it on new server with same hostname.

Just check from above link what type of CA you have. How many certificates did you have issued through this CA server ?
If its very less, just check on each computers that has these certificates and find out if it is useful ?
if its not in use, just install new AD integrated Enterprise root CA on new member server

Lastly, if your CA is standalone root CA, then there is no problem. 1st you just migrate this CA to new member server with same hostname and later install subordinate enterprise root CA if wanted to.

if you have Enterprise root CA and facing issues with Certificate templates "Certificate Templates - could not be loaded.  Element not found" as per ur comment then you can try below steps
Just take backup of CA server with registry (this will export CA database and certificate with private key)
uninstall CA server role
reboot the server
Reinstall CA server role with existing certificate option and select exported certificate above
Now check if you can view all certificate templates.
Now restore the CA database and you will be back in business.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

Hope this helps and clear all questions

Mahesh
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
A procedure for exporting installed hotfix details of remote computers using powershell
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now