Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CA migration from 2003 to 2012 server

Posted on 2013-12-23
4
Medium Priority
?
1,544 Views
Last Modified: 2014-01-03
Have migrated CA certification from 2003 server to 2012. Follow up article http://blogs.technet.com/b/meamcs/archive/2012/03/27/migrating-windows-2003-enterprise-certificate-authority-to-windows-2008-r2-based-ca.aspx, that basically have me export CA data and registry, then install the CA on the 2012 server and import the data and registry configuration.  After this was done  I couldn't first setup WEB enrollment but then found article that have me change registry entry to allow it to install.
 At this point thought all went fine but then I start showing errors 75 and 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server : ldap:///CN=************(1),CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=kay,DC=***********,DC=com.  Directory object not found. 0x8007208d (WIN32: 8333).
ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=***,DC=*****,DC=com'


Found some articles that's talk about permission on services in AD site and services nodes. Seems this wasn't an issue in my case as all entries were there.
Now errors still pop up so I tried to Renew CA certificate from the certification authority snap console and that's issued 103 id warning that the AD services added the root certificate to chain 2 to the downloaded Trusted Root Certification Enterprise Authorities store on CA computer.
After this the errors 75 and 74 stop showing up in the log. When I look up the MS CA certification WEB services I now see two CA certificate: Current [CA(2)] and Previous [CA(1)]
I don't know how to get ride off the previous one. Or question should be Can I get ride of the one that has name Previous CN (1). Would currently issued certificates worked if that happen?

Thanks
0
Comment
Question by:dtech39
  • 3
4 Comments
 
LVL 1

Assisted Solution

by:x278384
x278384 earned 2000 total points
ID: 39737291
I suggest that you could only backup CA cert and DB, then try to restore the CA cert during new CA installing wizzard. At last Restore the DB file.

I tried that once without export the REG, I think you could try first in your VM ENV.
That works for me, btw my new CA server has the same name with the old ca server.
0
 

Author Comment

by:dtech39
ID: 39738043
Name its different from the old server. Any suggestions for that?
0
 

Accepted Solution

by:
dtech39 earned 0 total points
ID: 39740419
Ok I think I did resolve the issue by uninstalling the CA service and cleanup AD and reisntalling it and restoring CA withut the registry per Microsoft article.

Now there is still the certificate (0) expired error logged on the CA AD log:

A certificate in the chain for CA certificate #0 for *********** has expired.  A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).

Any ideas of how to get ride of that certificate #0 as it seems not beign use as the #1 its the old one that is still valid and the 0 one was a lefover from previous systems.

Thanks
0
 

Author Closing Comment

by:dtech39
ID: 39753371
Follow up article on Ms for cleanup AD after uninstalling CA from old server. Also the registry modification wasn't necessary.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question