[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Migrate Certification Authority from 2003 domain to another parrallel domain

We have an old 2003 domain with a CA authority, in which we have a few old application servers which is in the process of de-comissioning, however it will take another 6-8 months to complete.
We also have a 2008 domain running in parralel which is the current domain and I need to move the certificate authority from the 2003 domain to the new domain but to still service the old 2003 domain until we de-comission this domain. Is there a guide that can be used for this process please?
0
Biertan
Asked:
Biertan
  • 3
  • 3
  • 2
1 Solution
 
Seth SimmonsSr. Systems AdministratorCommented:
you can move a CA domain root to the same or a newer version of windows but not across domains
the CA is setup for that domain; build a new CA for the other domain
0
 
BiertanAuthor Commented:
Thank you Seth.
The new domain has it's own CA and I was wondering whether I can use this same CA for the old domain (they have trusts in place accross the domains), rather than building a new CA for the old domain, which will only be de-comissioned soon.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
ok that's something entirely different; the original question referred to moving the CA which is a different process
i haven't tried a CA between trusted domains so not sure if it would work
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
MaheshArchitectCommented:
With 2008 R2, MS has started to enroll certificates over cross forest trust
However its not possible to migrate CA rom one domain to another as it is domain specific
"You cannot change the name nor the domain of the Certificate Server once Certificate Services is installed"
0
 
BiertanAuthor Commented:
My apologies Seth - I didn't express the question appropriately.
My intention (if possible) is to use the new domain's CA as the CA for the old domain as well.
0
 
MaheshArchitectCommented:
Look at below guide - Cross Forest Certificate enrollment
http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx
0
 
BiertanAuthor Commented:
It is possible to re-enroll existing objects from old domain in the new domain CA through group policy?
0
 
MaheshArchitectCommented:
You cannot re-enroll existing objects because you have not enrolled it from CA over cross forest trust
To do what you can do, install enterprise root ca (Ad Integrated) in new forest with 2008 R2 member server, establish TWO way cross forest trust and then start enrolling certificates over forest trust
This certifcates can be renewed in advance when they are about to expire
http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now