dtech39
asked on
CA migration from 2003 to 2012 server
Have migrated CA certification from 2003 server to 2012. Follow up article http://blogs.technet.com/b/meamcs/archive/2012/03/27/migrating-windows-2003-enterprise-certificate-authority-to-windows-2008-r2-based-ca.aspx, that basically have me export CA data and registry, then install the CA on the 2012 server and import the data and registry configuration. After this was done I couldn't first setup WEB enrollment but then found article that have me change registry entry to allow it to install.
At this point thought all went fine but then I start showing errors 75 and 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server : ldap:///CN=************(1)
ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Kaydc2,CN=CDP,CN=Publi
Found some articles that's talk about permission on services in AD site and services nodes. Seems this wasn't an issue in my case as all entries were there.
Now errors still pop up so I tried to Renew CA certificate from the certification authority snap console and that's issued 103 id warning that the AD services added the root certificate to chain 2 to the downloaded Trusted Root Certification Enterprise Authorities store on CA computer.
After this the errors 75 and 74 stop showing up in the log. When I look up the MS CA certification WEB services I now see two CA certificate: Current [CA(2)] and Previous [CA(1)]
I don't know how to get ride off the previous one. Or question should be Can I get ride of the one that has name Previous CN (1). Would currently issued certificates worked if that happen?
Thanks
At this point thought all went fine but then I start showing errors 75 and 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server : ldap:///CN=************(1)
ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Kaydc2,CN=CDP,CN=Publi
Found some articles that's talk about permission on services in AD site and services nodes. Seems this wasn't an issue in my case as all entries were there.
Now errors still pop up so I tried to Renew CA certificate from the certification authority snap console and that's issued 103 id warning that the AD services added the root certificate to chain 2 to the downloaded Trusted Root Certification Enterprise Authorities store on CA computer.
After this the errors 75 and 74 stop showing up in the log. When I look up the MS CA certification WEB services I now see two CA certificate: Current [CA(2)] and Previous [CA(1)]
I don't know how to get ride off the previous one. Or question should be Can I get ride of the one that has name Previous CN (1). Would currently issued certificates worked if that happen?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Follow up article on Ms for cleanup AD after uninstalling CA from old server. Also the registry modification wasn't necessary.
ASKER