My objective is to setup a new CA Server running Windows Server 2008 R2 SP1 and it is going to be a Member Server. How do I go about replacing or demoting the Root Cert Domain? And should I revoke the certs before removing the Certs role. What is the impact of existing computers with certs from the old CA server? The CA server is used for Radius Authentication and for a wireless policy that allows laptops to automatically connect to the Corporate Wireless Network by certificate granted by the CA Server via Active Directory authentication via group polices. Thanks Nelson Ehis

Hi, You may refer below articles: Active Directory Certificate Services Upgrade and Migration Guide http://technet.microsoft.com/en-us/library/cc742515(WS.10).aspx Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008 http://www.scottfeltmann.com/blog/2010/03/02/move-root-ca-from-w2k3-to-w2k8/ Please note, changing the server name which has CA role installed is not recommended although it is supported, this is mainly because you need to change a number of configuration parameters to include the old name to keep the old certificates valid. I would also recommend you repost this in the security forum for better assistance. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest regards, Abhijit Waikar. MCSA | MCSA:Messaging | MCITP:SA | MCC:2012 Blog: http://abhijitw.wordpress.com Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Thanks for your response. I will go over the article you sent and check it out. And also consider posting it in the Security forum as per your suggestion. Thanks. nelsonNelson Ehis

Thanks for your response. I will go over the article you sent and check it out. And also consider posting it in the Security forum as per your suggestion. Thanks. nelsonNelson Ehis

My objective is to setup a new CA Server running Windows Server 2008 R2 SP1 and it is going to be a Member Server. How do I go about replacing or demoting the Root Cert Domain? And should I revoke the certs before removing the Certs role. What is the impact of existing computers with certs from the old CA server? The CA server is used for Radius Authentication and for a wireless policy that allows laptops to automatically connect to the Corporate Wireless Network by certificate granted by the CA Server via Active Directory authentication via group polices. Thanks Nelson Ehis

Hi, See this your previous thread for CA migration links and security forum suggesion : http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/8c5aad99-03fc-406e-8bfa-1dfb9f01ec06 Best regards, Abhijit Waikar. MCSA | MCSA:Messaging | MCITP:SA | MCC:2012 Blog: http://abhijitw.wordpress.com Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback here. Arthur Li TechNet Community Support

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback here. Arthur Li TechNet Community Support

I decided to setup a new CA as a member Server running WIN 2008 R2 64bit . The question I have before I remove the CA role from the 2008 SP2 32bit server, do I need to revoke the certificates before removing the CA role? I want to make sure that the laptops will be able to request new certs from the new server once it is online and via Group Policy it is pointing to the appropriate container? Thanks. Nelson Ehis

I decided to setup a new CA as a member Server running WIN 2008 R2 64bit . The question I have before I remove the CA role from the 2008 SP2 32bit server, do I need to revoke the certificates before removing the CA role? I want to make sure that the laptops will be able to request new certs from the new server once it is online and via Group Policy it is pointing to the appropriate container? Thanks. Nelson Ehis

I moved ahead with the setup but I can get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1. I get this error message when the client attempts to authenticate. "The following fatal alert was generated: 20. The internal error state is 960" and also on the Event Viewer in Security option. It generates this message also... Your help is appreciated. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/23/2012 9:20:57 AM Event ID: 6273 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: CERTSERV.domain1.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: USER\temp17-L$ Account Name: host/temp17-L.domain1.com Account Domain: USER Fully Qualified Account Name: USER\temp17-L$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-19-77-31-07-51:CORP-WIFI Calling Station Identifier: 00-24-D7-EB-AB-EC NAS: NAS IPv4 Address: 10.1.0.87 NAS IPv6 Address: - NAS Identifier: AP05 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 0 RADIUS Client: Client Friendly Name: AP05 Client IP Address: 10.1.0.87 Authentication Details: Connection Request Policy Name: Secure Wireless Connections Network Policy Name: Secure Wireless Connections Authentication Provider: Windows Authentication Server: CERTSERV.domain1.com Authentication Type: PEAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 23 Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" /> <EventRecordID>49173</EventRecordID> <Correlation /> <Execution ProcessID="484" ThreadID="532" /> <Channel>Security</Channel> <Computer>CERTSERV.domain1.com</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data> <Data Name="SubjectUserName">host/temp17-L.domain1.com</Data> <Data Name="SubjectDomainName">USER</Data> <Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data> <Data Name="SubjectMachineSID">S-1-0-0</Data> <Data Name="SubjectMachineName">-</Data> <Data Name="FullyQualifiedSubjectMachineName">-</Data> <Data Name="MachineInventory">-</Data> <Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data> <Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data> <Data Name="NASIPv4Address">10.1.0.87</Data> <Data Name="NASIPv6Address">-</Data> <Data Name="NASIdentifier">AP05</Data> <Data Name="NASPortType">Wireless - IEEE 802.11</Data> <Data Name="NASPort">0</Data> <Data Name="ClientName">AP05</Data> <Data Name="ClientIPAddress">10.1.0.87</Data> <Data Name="ProxyPolicyName">Secure Wireless Connections</Data> <Data Name="NetworkPolicyName">Secure Wireless Connections</Data> <Data Name="AuthenticationProvider">Windows</Data> <Data Name="AuthenticationServer">CERTSERV.domain1.com</Data> <Data Name="AuthenticationType">PEAP</Data> <Data Name="EAPType">-</Data> <Data Name="AccountSessionIdentifier">-</Data> <Data Name="ReasonCode">23</Data> <Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data> <Data Name="LoggingResult">Accounting information was written to the local log file.</Data> </EventData> </Event>Nelson Ehis

I moved ahead with the setup but I can get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1. I get this error message when the client attempts to authenticate. "The following fatal alert was generated: 20. The internal error state is 960" and also on the Event Viewer in Security option. It generates this message also... Your help is appreciated. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/23/2012 9:20:57 AM Event ID: 6273 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: CERTSERV.domain1.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: USER\temp17-L$ Account Name: host/temp17-L.domain1.com Account Domain: USER Fully Qualified Account Name: USER\temp17-L$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-19-77-31-07-51:CORP-WIFI Calling Station Identifier: 00-24-D7-EB-AB-EC NAS: NAS IPv4 Address: 10.1.0.87 NAS IPv6 Address: - NAS Identifier: AP05 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 0 RADIUS Client: Client Friendly Name: AP05 Client IP Address: 10.1.0.87 Authentication Details: Connection Request Policy Name: Secure Wireless Connections Network Policy Name: Secure Wireless Connections Authentication Provider: Windows Authentication Server: CERTSERV.domain1.com Authentication Type: PEAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 23 Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" /> <EventRecordID>49173</EventRecordID> <Correlation /> <Execution ProcessID="484" ThreadID="532" /> <Channel>Security</Channel> <Computer>CERTSERV.domain1.com</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data> <Data Name="SubjectUserName">host/temp17-L.domain1.com</Data> <Data Name="SubjectDomainName">USER</Data> <Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data> <Data Name="SubjectMachineSID">S-1-0-0</Data> <Data Name="SubjectMachineName">-</Data> <Data Name="FullyQualifiedSubjectMachineName">-</Data> <Data Name="MachineInventory">-</Data> <Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data> <Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data> <Data Name="NASIPv4Address">10.1.0.87</Data> <Data Name="NASIPv6Address">-</Data> <Data Name="NASIdentifier">AP05</Data> <Data Name="NASPortType">Wireless - IEEE 802.11</Data> <Data Name="NASPort">0</Data> <Data Name="ClientName">AP05</Data> <Data Name="ClientIPAddress">10.1.0.87</Data> <Data Name="ProxyPolicyName">Secure Wireless Connections</Data> <Data Name="NetworkPolicyName">Secure Wireless Connections</Data> <Data Name="AuthenticationProvider">Windows</Data> <Data Name="AuthenticationServer">CERTSERV.domain1.com</Data> <Data Name="AuthenticationType">PEAP</Data> <Data Name="EAPType">-</Data> <Data Name="AccountSessionIdentifier">-</Data> <Data Name="ReasonCode">23</Data> <Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data> <Data Name="LoggingResult">Accounting information was written to the local log file.</Data> </EventData> </Event>Nelson Ehis

I was able to figure it out. It was something to do with the computer certificate not installed on the server. Go to Start Run type mmc and go to File Add or Remove Snap-ins Add Certificates under Available Snap-ins and hit ok and choose Computer account and hit Next and hit Finish and OK. Click on teh + sing on Certificates (Local Computer)--> Personal-->Certificates - Right Click and Chooese All Taks and request a new Certificate - click next and Choose Active Directory Enrollment Policy and Click Next - check box Computer and click on the Enrollment button. A computer Certificate is created. And when the laptops are connected via a LAN connection it then pushes down the certs and thereafter they can begin to authenticate the corporate network.Nelson Ehis