Solved

CA migration from 2003 to 2012 server

Posted on 2013-12-23
4
1,460 Views
Last Modified: 2014-01-03
Have migrated CA certification from 2003 server to 2012. Follow up article http://blogs.technet.com/b/meamcs/archive/2012/03/27/migrating-windows-2003-enterprise-certificate-authority-to-windows-2008-r2-based-ca.aspx, that basically have me export CA data and registry, then install the CA on the 2012 server and import the data and registry configuration.  After this was done  I couldn't first setup WEB enrollment but then found article that have me change registry entry to allow it to install.
 At this point thought all went fine but then I start showing errors 75 and 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server : ldap:///CN=************(1),CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=kay,DC=***********,DC=com.  Directory object not found. 0x8007208d (WIN32: 8333).
ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=***,DC=*****,DC=com'


Found some articles that's talk about permission on services in AD site and services nodes. Seems this wasn't an issue in my case as all entries were there.
Now errors still pop up so I tried to Renew CA certificate from the certification authority snap console and that's issued 103 id warning that the AD services added the root certificate to chain 2 to the downloaded Trusted Root Certification Enterprise Authorities store on CA computer.
After this the errors 75 and 74 stop showing up in the log. When I look up the MS CA certification WEB services I now see two CA certificate: Current [CA(2)] and Previous [CA(1)]
I don't know how to get ride off the previous one. Or question should be Can I get ride of the one that has name Previous CN (1). Would currently issued certificates worked if that happen?

Thanks
0
Comment
Question by:dtech39
  • 3
4 Comments
 
LVL 1

Assisted Solution

by:x278384
x278384 earned 500 total points
ID: 39737291
I suggest that you could only backup CA cert and DB, then try to restore the CA cert during new CA installing wizzard. At last Restore the DB file.

I tried that once without export the REG, I think you could try first in your VM ENV.
That works for me, btw my new CA server has the same name with the old ca server.
0
 

Author Comment

by:dtech39
ID: 39738043
Name its different from the old server. Any suggestions for that?
0
 

Accepted Solution

by:
dtech39 earned 0 total points
ID: 39740419
Ok I think I did resolve the issue by uninstalling the CA service and cleanup AD and reisntalling it and restoring CA withut the registry per Microsoft article.

Now there is still the certificate (0) expired error logged on the CA AD log:

A certificate in the chain for CA certificate #0 for *********** has expired.  A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).

Any ideas of how to get ride of that certificate #0 as it seems not beign use as the #1 its the old one that is still valid and the 0 one was a lefover from previous systems.

Thanks
0
 

Author Closing Comment

by:dtech39
ID: 39753371
Follow up article on Ms for cleanup AD after uninstalling CA from old server. Also the registry modification wasn't necessary.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now