Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2012 CA ROOT - How do you deal with adding a CA ROOT to a Windows 2012 server if an older server (2003) Already HAS a CA ROOT installed for the domain?

Posted on 2014-10-24
3
Medium Priority
?
307 Views
Last Modified: 2014-11-16
Hello,

I have a Windows domain that is in the process of being upgraded.  The Native Functionality of the domain is Windows 2003.  We are in the process of decommissioning the Windows 2003 servers, and the 2003 DC is currently the domain Enterprise CA ROOT.

I have added a Windows 2012 server to the domain and promoted it.  I have added Certificate Services, and all of the associated ROLE services, and now I'm ready to configure the ROOT CA.  I am unsure of how to proceed...

- Should I install this new 2012 DC as a ROOT CA?
- Since there is already a Windows 2003 DC that is a ROOT CA, how do I handle this?  I do not have any GPO's that use auto-enrollment or certificate based remote access.

My intention of use is to start using auto-enrollment for wireless devices to auto-connect to a Cisco based WIFI controller, and for remote access.
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Accepted Solution

by:
Ganesh Kumar A earned 2000 total points
ID: 40403607
You can simply install the role on the Windows 2012 server, there wont be any conflicts which means you can have two root CA in your environment.  Since you are not using root CA for any GPO it is not going to affect by any means. But if you want to migrate follow the procedure.

Follow the procedure to migrate from Windows 2003 RootCA to Windows 2012 RootCA:
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
0
 
LVL 6

Expert Comment

by:Vipin Vasudevan
ID: 40404141
That's right, it is very much possible to have multiple RootCA in an environment. But if your concern is on the usage of existing certificates and want to retain the same for a cause (Since you want to remove old 2003 DC ). I personally prefer to have a dedicated RootCA server rather than keeping this role along with Domain Controller.

You can export and configure same database and certificates in a new server with same name or different name (if it differnet name you have to change the registry value , after exporting registry configuration from source )

You may also look in  to KB http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

This will help you configure auto enrollment http://technet.microsoft.com/en-us/library/cc731522.aspx
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40404302
you can export from the older CA to the new CA
http://support.microsoft.com/kb/555252
The migration guide is available @ http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question