Solved

Domain Contoller with Certificates of Authority needs replacing how to move

Posted on 2013-12-04
7
457 Views
Last Modified: 2013-12-30
Hello EE,

We have a DC that is our certificate holder and I now need to move these all to the new DC that will be replacing it.  I have never done this and am wondering is this the how others do it with certificates on one server (what if it crashes)?  I am going from 2003 to 2012 and any guidance how to move, setup, would be great.

thanks!
0
Comment
Question by:bergquistcompany
7 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39697540
get a complete new set for the new server and leave the ones on the old server. New ones will have new names.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39697963
You can use below guide for CA migration from 2003 to 2012
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

I am just outline high level steps here

backup 2003 CA certificate with database and its registry
uninstall CA server role from 2003
Now you can demote the server to member server
Shutdown server for time being
prepare 2012 member server \ ADC with same host as old CA (DC) server
Install CA role with existing certificate (from Certificate backup taken above) on 2012 server
Restore CA Database backup taken above from CA console on 2012 server
Check if CRL and AIA entries in active directory sites and services are appropriate as your source and destination CA server Hostname is same.

Note:Do not change CA server (ADC) Hostname otherwise your existing issued certificates will not able to check CRL
Once you are sure that new CA is working as expected, you can use old 2003 machine for else purpose with different host name.
Because if you face any issues on new CA, you can just uninstall CA from new server, rename it to some new name, start your old CA server, install CA role and just restore CA backup and you will be back in business.
Also you cannot change CA common name in AD

One suggestion: If possible, avoid installing CA server on DC so that in feature if you want to rename \ demote Dc, it pssible.
Because if you install CA on DC, you cannot rename or demote DC unless you uninstall CA server role

Mahesh
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39698285
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:bergquistcompany
ID: 39701695
Is there a way to have this at an enterprise level so if machines come and go no one machine holds all the certificates so you run into thos?

Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?

I understand this appears easier then reissuing certificates under the new server name starting from scratch.  How do I confirm if my DC is a ROOT and Issuing CA as it appears there are 2 procedures for that?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39701925
Also from the video it appears you want to name the new DC the same as the old but @ MaheshPM you indicate do not?

I have mentioned in my earlier comment that you should keep new and old CA server hostname same and you cannot rename CA common name in AD
Also I mentioned there impact also if you do change CA server name

Is there a way to have this at an enterprise level so if machines come and go no one machine holds all the certificates so you run into thos?

I am not able to understand what you are trying to say?
Can you explain it please ?

lastly just open CA certificate and in certificate properties just check certificate path to understand if there is any certificate chain exists.
If you found only one certificate in chain, then it is root CA OR
if you found certificate chain, then the top most certificate is the root CA

Mahesh
0
 

Author Comment

by:bergquistcompany
ID: 39706048
@donnk - what are the benefits of this?  Wouldn't we need to purchase to add to this server?

@ MaheshPM - Ok we have a standard (not enterprise root CA) so as I understand your steps of backing up, uninstalling roll, demoting and prepare new DC with same name and restore.
1. Should new machine have same name?  Want to confirm your comment v.s. video?

One question if I choose to put this on a member server as you mention best not to be on DC is it more challenging to put on machine with different name I'm guessing would be as donnk said in having a totally second copy?  Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?

CA (Local)
   CHDC1
        Revoked
         Issued
         Pending
         Failed
         Certificate Templates - could not be loaded.  Element not found.

This mean I am with stand-alone root CA?  Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39707013
your questions:
1. Should new machine have same name?  Want to confirm your comment v.s. video?
Yes, both machine hostname should be same. This will ensure that already issued certificates remains intact as CA server hostname is hardcoded in CRL and AIA of issued certificates and if you restore CA on server having different hostname, those certificates will unable to update CRL and unable to check CA authenticity and you need to issue new certificates to them.

Thus ideally if I understand backup and restore to 2012 member server non-DC would be best?
yes, you should restore it on 2012 member server with same hostname as old one.

This mean I am with stand-alone root CA?  Is there a better option for a network where as servers come and go the CA is centralized on multiple servers so if one goes others have it?
Check below registry key on CA server to identify if its running Enterprise root CA or Standalone root CA
http://www.systemcentercentral.com/how-to-determine-the-type-of-certificate-authority-ca-you-have/
Because, as far as I know Standalone root CA doesn't have this folder. If you are able to see this folder, it means most probably it is enterprise CA but having some issue with templates container.
Please confirm.

Normally if you have big setup, you can deploy standalone root CA and then you can deploy multiple subordinate enterprise root CA (AD integrated) servers which will issues certificates to clients. In such cases Standalone root CA will be taken offline as a best practise and take it online only when you  want to renew subordinate CA certificates.

if you want you can deploy multiple root Certificate authorities in a given domain.
You can install combination of Standalone root CA + Enterprise root CA if wanted.

I don't think you will require offline root CA setup with enterprise subordinate root CA.
Your best option is to deploy enterprise root CA.
In your case one of the good option is to restore it on new server with same hostname.

Just check from above link what type of CA you have. How many certificates did you have issued through this CA server ?
If its very less, just check on each computers that has these certificates and find out if it is useful ?
if its not in use, just install new AD integrated Enterprise root CA on new member server

Lastly, if your CA is standalone root CA, then there is no problem. 1st you just migrate this CA to new member server with same hostname and later install subordinate enterprise root CA if wanted to.

if you have Enterprise root CA and facing issues with Certificate templates "Certificate Templates - could not be loaded.  Element not found" as per ur comment then you can try below steps
Just take backup of CA server with registry (this will export CA database and certificate with private key)
uninstall CA server role
reboot the server
Reinstall CA server role with existing certificate option and select exported certificate above
Now check if you can view all certificate templates.
Now restore the CA database and you will be back in business.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

Hope this helps and clear all questions

Mahesh
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question