Solved

CA migration from 2003 to 2012 server

Posted on 2013-12-23
4
1,440 Views
Last Modified: 2014-01-03
Have migrated CA certification from 2003 server to 2012. Follow up article http://blogs.technet.com/b/meamcs/archive/2012/03/27/migrating-windows-2003-enterprise-certificate-authority-to-windows-2008-r2-based-ca.aspx, that basically have me export CA data and registry, then install the CA on the 2012 server and import the data and registry configuration.  After this was done  I couldn't first setup WEB enrollment but then found article that have me change registry entry to allow it to install.
 At this point thought all went fine but then I start showing errors 75 and 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server : ldap:///CN=************(1),CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=kay,DC=***********,DC=com.  Directory object not found. 0x8007208d (WIN32: 8333).
ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=***,DC=*****,DC=com'


Found some articles that's talk about permission on services in AD site and services nodes. Seems this wasn't an issue in my case as all entries were there.
Now errors still pop up so I tried to Renew CA certificate from the certification authority snap console and that's issued 103 id warning that the AD services added the root certificate to chain 2 to the downloaded Trusted Root Certification Enterprise Authorities store on CA computer.
After this the errors 75 and 74 stop showing up in the log. When I look up the MS CA certification WEB services I now see two CA certificate: Current [CA(2)] and Previous [CA(1)]
I don't know how to get ride off the previous one. Or question should be Can I get ride of the one that has name Previous CN (1). Would currently issued certificates worked if that happen?

Thanks
0
Comment
Question by:dtech39
  • 3
4 Comments
 
LVL 1

Assisted Solution

by:x278384
x278384 earned 500 total points
ID: 39737291
I suggest that you could only backup CA cert and DB, then try to restore the CA cert during new CA installing wizzard. At last Restore the DB file.

I tried that once without export the REG, I think you could try first in your VM ENV.
That works for me, btw my new CA server has the same name with the old ca server.
0
 

Author Comment

by:dtech39
ID: 39738043
Name its different from the old server. Any suggestions for that?
0
 

Accepted Solution

by:
dtech39 earned 0 total points
ID: 39740419
Ok I think I did resolve the issue by uninstalling the CA service and cleanup AD and reisntalling it and restoring CA withut the registry per Microsoft article.

Now there is still the certificate (0) expired error logged on the CA AD log:

A certificate in the chain for CA certificate #0 for *********** has expired.  A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).

Any ideas of how to get ride of that certificate #0 as it seems not beign use as the #1 its the old one that is still valid and the 0 one was a lefover from previous systems.

Thanks
0
 

Author Closing Comment

by:dtech39
ID: 39753371
Follow up article on Ms for cleanup AD after uninstalling CA from old server. Also the registry modification wasn't necessary.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now