Windows 2012 CA ROOT - How do you deal with adding a CA ROOT to a Windows 2012 server if an older server (2003) Already HAS a CA ROOT installed for the domain?

Hello,

I have a Windows domain that is in the process of being upgraded.  The Native Functionality of the domain is Windows 2003.  We are in the process of decommissioning the Windows 2003 servers, and the 2003 DC is currently the domain Enterprise CA ROOT.

I have added a Windows 2012 server to the domain and promoted it.  I have added Certificate Services, and all of the associated ROLE services, and now I'm ready to configure the ROOT CA.  I am unsure of how to proceed...

- Should I install this new 2012 DC as a ROOT CA?
- Since there is already a Windows 2003 DC that is a ROOT CA, how do I handle this?  I do not have any GPO's that use auto-enrollment or certificate based remote access.

My intention of use is to start using auto-enrollment for wireless devices to auto-connect to a Cisco based WIFI controller, and for remote access.
LVL 5
jkeegan123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ganesh Kumar ASr Infrastructure SpecialistCommented:
You can simply install the role on the Windows 2012 server, there wont be any conflicts which means you can have two root CA in your environment.  Since you are not using root CA for any GPO it is not going to affect by any means. But if you want to migrate follow the procedure.

Follow the procedure to migrate from Windows 2003 RootCA to Windows 2012 RootCA:
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vipin VasudevanInfrastructure SpecialistCommented:
That's right, it is very much possible to have multiple RootCA in an environment. But if your concern is on the usage of existing certificates and want to retain the same for a cause (Since you want to remove old 2003 DC ). I personally prefer to have a dedicated RootCA server rather than keeping this role along with Domain Controller.

You can export and configure same database and certificates in a new server with same name or different name (if it differnet name you have to change the registry value , after exporting registry configuration from source )

You may also look in  to KB http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

This will help you configure auto enrollment http://technet.microsoft.com/en-us/library/cc731522.aspx
0
David Johnson, CD, MVPOwnerCommented:
you can export from the older CA to the new CA
http://support.microsoft.com/kb/555252
The migration guide is available @ http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.