bergquistcompany
asked on
Domain Contoller with Certificates of Authority needs replacing how to move
Hello EE,
We have a DC that is our certificate holder and I now need to move these all to the new DC that will be replacing it. I have never done this and am wondering is this the how others do it with certificates on one server (what if it crashes)? I am going from 2003 to 2012 and any guidance how to move, setup, would be great.
thanks!
We have a DC that is our certificate holder and I now need to move these all to the new DC that will be replacing it. I have never done this and am wondering is this the how others do it with certificates on one server (what if it crashes)? I am going from 2003 to 2012 and any guidance how to move, setup, would be great.
thanks!
get a complete new set for the new server and leave the ones on the old server. New ones will have new names.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check the below youtube link it may help you.
http://blogs.technet.com/b/xdot509/archive/2013/07/07/upgrading-your-pki-to-windows-server-2012-new-video.aspx
http://blogs.technet.com/b/xdot509/archive/2013/07/07/upgrading-your-pki-to-windows-server-2012-new-video.aspx
ASKER
Is there a way to have this at an enterprise level so if machines come and go no one machine holds all the certificates so you run into thos?
Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?
I understand this appears easier then reissuing certificates under the new server name starting from scratch. How do I confirm if my DC is a ROOT and Issuing CA as it appears there are 2 procedures for that?
Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?
I understand this appears easier then reissuing certificates under the new server name starting from scratch. How do I confirm if my DC is a ROOT and Issuing CA as it appears there are 2 procedures for that?
Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?
I have mentioned in my earlier comment that you should keep new and old CA server hostname same and you cannot rename CA common name in AD
Also I mentioned there impact also if you do change CA server name
Is there a way to have this at an enterprise level so if machines come and go no one machine holds all the certificates so you run into thos?
I am not able to understand what you are trying to say?
Can you explain it please ?
lastly just open CA certificate and in certificate properties just check certificate path to understand if there is any certificate chain exists.
If you found only one certificate in chain, then it is root CA OR
if you found certificate chain, then the top most certificate is the root CA
Mahesh
ASKER
@donnk - what are the benefits of this? Wouldn't we need to purchase to add to this server?
@ MaheshPM - Ok we have a standard (not enterprise root CA) so as I understand your steps of backing up, uninstalling roll, demoting and prepare new DC with same name and restore.
1. Should new machine have same name? Want to confirm your comment v.s. video?
One question if I choose to put this on a member server as you mention best not to be on DC is it more challenging to put on machine with different name I'm guessing would be as donnk said in having a totally second copy? Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?
CA (Local)
CHDC1
Revoked
Issued
Pending
Failed
Certificate Templates - could not be loaded. Element not found.
This mean I am with stand-alone root CA? Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?
@ MaheshPM - Ok we have a standard (not enterprise root CA) so as I understand your steps of backing up, uninstalling roll, demoting and prepare new DC with same name and restore.
1. Should new machine have same name? Want to confirm your comment v.s. video?
One question if I choose to put this on a member server as you mention best not to be on DC is it more challenging to put on machine with different name I'm guessing would be as donnk said in having a totally second copy? Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?
CA (Local)
CHDC1
Revoked
Issued
Pending
Failed
Certificate Templates - could not be loaded. Element not found.
This mean I am with stand-alone root CA? Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?
your questions:
http://www.systemcentercentral.com/how-to-determine-the-type-of-certificate-authority-ca-you-have/
Because, as far as I know Standalone root CA doesn't have this folder. If you are able to see this folder, it means most probably it is enterprise CA but having some issue with templates container.
Please confirm.
Normally if you have big setup, you can deploy standalone root CA and then you can deploy multiple subordinate enterprise root CA (AD integrated) servers which will issues certificates to clients. In such cases Standalone root CA will be taken offline as a best practise and take it online only when you want to renew subordinate CA certificates.
if you want you can deploy multiple root Certificate authorities in a given domain.
You can install combination of Standalone root CA + Enterprise root CA if wanted.
I don't think you will require offline root CA setup with enterprise subordinate root CA.
Your best option is to deploy enterprise root CA.
In your case one of the good option is to restore it on new server with same hostname.
Just check from above link what type of CA you have. How many certificates did you have issued through this CA server ?
If its very less, just check on each computers that has these certificates and find out if it is useful ?
if its not in use, just install new AD integrated Enterprise root CA on new member server
Lastly, if your CA is standalone root CA, then there is no problem. 1st you just migrate this CA to new member server with same hostname and later install subordinate enterprise root CA if wanted to.
if you have Enterprise root CA and facing issues with Certificate templates "Certificate Templates - could not be loaded. Element not found" as per ur comment then you can try below steps
Just take backup of CA server with registry (this will export CA database and certificate with private key)
uninstall CA server role
reboot the server
Reinstall CA server role with existing certificate option and select exported certificate above
Now check if you can view all certificate templates.
Now restore the CA database and you will be back in business.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope this helps and clear all questions
Mahesh
1. Should new machine have same name? Want to confirm your comment v.s. video?Yes, both machine hostname should be same. This will ensure that already issued certificates remains intact as CA server hostname is hardcoded in CRL and AIA of issued certificates and if you restore CA on server having different hostname, those certificates will unable to update CRL and unable to check CA authenticity and you need to issue new certificates to them.
Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?yes, you should restore it on 2012 member server with same hostname as old one.
This mean I am with stand-alone root CA? Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?Check below registry key on CA server to identify if its running Enterprise root CA or Standalone root CA
http://www.systemcentercentral.com/how-to-determine-the-type-of-certificate-authority-ca-you-have/
Because, as far as I know Standalone root CA doesn't have this folder. If you are able to see this folder, it means most probably it is enterprise CA but having some issue with templates container.
Please confirm.
Normally if you have big setup, you can deploy standalone root CA and then you can deploy multiple subordinate enterprise root CA (AD integrated) servers which will issues certificates to clients. In such cases Standalone root CA will be taken offline as a best practise and take it online only when you want to renew subordinate CA certificates.
if you want you can deploy multiple root Certificate authorities in a given domain.
You can install combination of Standalone root CA + Enterprise root CA if wanted.
I don't think you will require offline root CA setup with enterprise subordinate root CA.
Your best option is to deploy enterprise root CA.
In your case one of the good option is to restore it on new server with same hostname.
Just check from above link what type of CA you have. How many certificates did you have issued through this CA server ?
If its very less, just check on each computers that has these certificates and find out if it is useful ?
if its not in use, just install new AD integrated Enterprise root CA on new member server
Lastly, if your CA is standalone root CA, then there is no problem. 1st you just migrate this CA to new member server with same hostname and later install subordinate enterprise root CA if wanted to.
if you have Enterprise root CA and facing issues with Certificate templates "Certificate Templates - could not be loaded. Element not found" as per ur comment then you can try below steps
Just take backup of CA server with registry (this will export CA database and certificate with private key)
uninstall CA server role
reboot the server
Reinstall CA server role with existing certificate option and select exported certificate above
Now check if you can view all certificate templates.
Now restore the CA database and you will be back in business.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope this helps and clear all questions
Mahesh