Solved

CA migration from 2003 to 2012 server

Posted on 2013-12-23
4
1,515 Views
Last Modified: 2014-01-03
Have migrated CA certification from 2003 server to 2012. Follow up article http://blogs.technet.com/b/meamcs/archive/2012/03/27/migrating-windows-2003-enterprise-certificate-authority-to-windows-2008-r2-based-ca.aspx, that basically have me export CA data and registry, then install the CA on the 2012 server and import the data and registry configuration.  After this was done  I couldn't first setup WEB enrollment but then found article that have me change registry entry to allow it to install.
 At this point thought all went fine but then I start showing errors 75 and 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server : ldap:///CN=************(1),CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=kay,DC=***********,DC=com.  Directory object not found. 0x8007208d (WIN32: 8333).
ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=Kaydc2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=***,DC=*****,DC=com'


Found some articles that's talk about permission on services in AD site and services nodes. Seems this wasn't an issue in my case as all entries were there.
Now errors still pop up so I tried to Renew CA certificate from the certification authority snap console and that's issued 103 id warning that the AD services added the root certificate to chain 2 to the downloaded Trusted Root Certification Enterprise Authorities store on CA computer.
After this the errors 75 and 74 stop showing up in the log. When I look up the MS CA certification WEB services I now see two CA certificate: Current [CA(2)] and Previous [CA(1)]
I don't know how to get ride off the previous one. Or question should be Can I get ride of the one that has name Previous CN (1). Would currently issued certificates worked if that happen?

Thanks
0
Comment
Question by:dtech39
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 1

Assisted Solution

by:x278384
x278384 earned 500 total points
ID: 39737291
I suggest that you could only backup CA cert and DB, then try to restore the CA cert during new CA installing wizzard. At last Restore the DB file.

I tried that once without export the REG, I think you could try first in your VM ENV.
That works for me, btw my new CA server has the same name with the old ca server.
0
 

Author Comment

by:dtech39
ID: 39738043
Name its different from the old server. Any suggestions for that?
0
 

Accepted Solution

by:
dtech39 earned 0 total points
ID: 39740419
Ok I think I did resolve the issue by uninstalling the CA service and cleanup AD and reisntalling it and restoring CA withut the registry per Microsoft article.

Now there is still the certificate (0) expired error logged on the CA AD log:

A certificate in the chain for CA certificate #0 for *********** has expired.  A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).

Any ideas of how to get ride of that certificate #0 as it seems not beign use as the #1 its the old one that is still valid and the 0 one was a lefover from previous systems.

Thanks
0
 

Author Closing Comment

by:dtech39
ID: 39753371
Follow up article on Ms for cleanup AD after uninstalling CA from old server. Also the registry modification wasn't necessary.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Invest in your employees with these five simple steps to improve employee engagement and retention.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question