Certificate Services Upgrade and Migration - or the other way round?
Hi, we currently have a Windows Server 2003 EE x86 Issuing CA (we also have an offline root CA, but there is not need to upgrade right now). We want to move the CA to Windows Server 2008 R2 EE x64. From Brian Komar's Book on "PKI and Certificate Security" I learned that "the upgrade to Windows Server 2008 will not support upgrade between architectures". Brian's book explains two ways to upgrade from W2003 x86 to W2008 R2 x64: a) Win2003 x86 --> Upgrade to Win2008 x86 --> Migration to Win2008R2 x64 b) Win2003 x86 --> Migration to Win2003 x64 --> Upgrade to Win2003R2 x64 Comments under this blog post state they did it without the extra step: http://www.scottfeltmann.com/index.php/2010/03/02/move-root-ca-from-w2k3-to-w2k8/ Questions: Is there really an easier way to do it? Without the extra step in the middle? which method is the one I should prefer? a) or b)? Thanks for any help or input!
November 23rd, 2010 9:33am

yes, migrate directly from 2003 x86 to 2008r2 x64. Even KB article ( http://support.microsoft.com/kb/298138/) states that x86 and x64 CA DBs are incompatible, this is not true. You will have to backup entire DB, *all* valid CA certificates and registry settings. It would be better if source and destination server will have the same computer and domain name. when you setup AD CS role on new server you will specify existing CA certificate (if they are stored in PFX in the backup set). After AD CS role installation you will need to restore CA DB and registry settings. For more details please check this: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2010 10:15am

Hi, I want to let you know that I upgraded and migrated both CAs yesterday in a single step (backup on Windows 2003 x86 --> restore on Windows 2008 R2 x64 without any in-place upgrade) and it worked like a charm. There were only two minor problems: On the Issuing CA which is running on Enterprised Edition of Windows, I could only publish version 1 ceritificate templates. I used the command from http://support.microsoft.com/kb/967332 and that helped. Before installing the new issuing CA, I uninstalled the old issuing CA and renamed its computer account. However, the new CA's computer account did not have the permission to publish AIA and CRL information to AD. I used adsiedit.msc to correct the security settings manually. Regards, Dagmar
December 1st, 2010 10:00am

thanks for sharing your experience! Have a nice day!http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2010 1:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics