I need to replace or remove a Domain Controller running Windows 2008 SP2 and is a Root Certificate Server
My objective is to setup a new CA Server running Windows Server 2008 R2 SP1 and it is going to be a Member Server. How do I go about replacing or demoting the Root Cert Domain?
And should I revoke the certs before removing the Certs role. What is the impact of existing computers with certs from the old CA server?
The CA server is used for Radius Authentication and for a wireless policy that allows laptops to automatically connect to the Corporate Wireless Network by certificate granted by the CA Server
via Active Directory authentication via group polices.
Thanks
Nelson Ehis
August 17th, 2012 12:53pm
Hi,
You may refer below articles:
Active Directory Certificate Services Upgrade and Migration Guide
http://technet.microsoft.com/en-us/library/cc742515(WS.10).aspx
Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008
http://www.scottfeltmann.com/blog/2010/03/02/move-root-ca-from-w2k3-to-w2k8/
Please note, changing the server name which has CA role installed is not recommended although it is supported, this is mainly because you need to change a number of configuration parameters to include the old name to keep the old certificates valid.
I would also recommend you repost this in the security forum
for better assistance.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 1:06pm
Thanks for your response. I will go over the article you sent and check it out. And also consider posting it in the Security forum as per your suggestion. Thanks. nelsonNelson Ehis
August 17th, 2012 4:03pm
Thanks for your response. I will go over the article you sent and check it out. And also consider posting it in the Security forum as per your suggestion. Thanks. nelsonNelson Ehis
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 4:03pm
My objective is to setup a new CA Server running Windows Server 2008 R2 SP1 and it is going to be a Member Server. How do I go about replacing or demoting the Root Cert Domain?
And should I revoke the certs before removing the Certs role. What is the impact of existing computers with certs from the old CA server?
The CA server is used for Radius Authentication and for a wireless policy that allows laptops to automatically connect to the Corporate Wireless Network by certificate granted by the CA Server
via Active Directory authentication via group polices.
Thanks
Nelson Ehis
August 17th, 2012 4:29pm
Hi,
See this your previous thread for CA migration links and security forum suggesion :
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/8c5aad99-03fc-406e-8bfa-1dfb9f01ec06
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 4:33pm
Hi,
I would like to
confirm what is the current situation? If there is anything that I can do for
you, please do not hesitate to let me know, and I will be happy to
help.
Regards,
Arthur
Li
TechNet
Subscriber Support
If you are
TechNet
Subscriptionuser and have
any feedback on our support quality, please send your feedback here.
Arthur Li
TechNet Community Support
August 20th, 2012 9:21am
Hi,
I would like to
confirm what is the current situation? If there is anything that I can do for
you, please do not hesitate to let me know, and I will be happy to
help.
Regards,
Arthur
Li
TechNet
Subscriber Support
If you are
TechNet
Subscriptionuser and have
any feedback on our support quality, please send your feedback here.
Arthur Li
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2012 9:27am
I decided to setup a new CA as a member Server running WIN 2008 R2 64bit . The question I have before I remove the CA role from the 2008 SP2 32bit server, do I need to revoke the certificates before removing the CA role? I want to make sure that
the laptops will be able to request new certs from the new server once it is online and via Group Policy it is pointing to the appropriate container?
Thanks. Nelson Ehis
August 22nd, 2012 2:42pm
I decided to setup a new CA as a member Server running WIN 2008 R2 64bit . The question I have before I remove the CA role from the 2008 SP2 32bit server, do I need to revoke the certificates before removing the CA role? I want to make sure that
the laptops will be able to request new certs from the new server once it is online and via Group Policy it is pointing to the appropriate container?
Thanks. Nelson Ehis
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2012 2:44pm
I moved ahead with the setup but I can get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1. I get this error message when the client attempts to authenticate. "The following fatal alert was generated:
20. The internal error state is 960"
and also on the Event Viewer in Security option. It generates this message also... Your help is appreciated.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/23/2012 9:20:57 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CERTSERV.domain1.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: USER\temp17-L$
Account Name: host/temp17-L.domain1.com
Account Domain: USER
Fully Qualified Account Name: USER\temp17-L$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-77-31-07-51:CORP-WIFI
Calling Station Identifier: 00-24-D7-EB-AB-EC
NAS:
NAS IPv4 Address: 10.1.0.87
NAS IPv6 Address: -
NAS Identifier: AP05
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: AP05
Client IP Address: 10.1.0.87
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: CERTSERV.domain1.com
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" />
<EventRecordID>49173</EventRecordID>
<Correlation />
<Execution ProcessID="484" ThreadID="532" />
<Channel>Security</Channel>
<Computer>CERTSERV.domain1.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data>
<Data Name="SubjectUserName">host/temp17-L.domain1.com</Data>
<Data Name="SubjectDomainName">USER</Data>
<Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data>
<Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data>
<Data Name="NASIPv4Address">10.1.0.87</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">AP05</Data>
<Data Name="NASPortType">Wireless - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">AP05</Data>
<Data Name="ClientIPAddress">10.1.0.87</Data>
<Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
<Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">CERTSERV.domain1.com</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">23</Data>
<Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>Nelson Ehis
August 23rd, 2012 10:29am
I moved ahead with the setup but I can get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1. I get this error message when the client attempts to authenticate. "The following fatal alert was generated:
20. The internal error state is 960"
and also on the Event Viewer in Security option. It generates this message also... Your help is appreciated.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/23/2012 9:20:57 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CERTSERV.domain1.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: USER\temp17-L$
Account Name: host/temp17-L.domain1.com
Account Domain: USER
Fully Qualified Account Name: USER\temp17-L$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-77-31-07-51:CORP-WIFI
Calling Station Identifier: 00-24-D7-EB-AB-EC
NAS:
NAS IPv4 Address: 10.1.0.87
NAS IPv6 Address: -
NAS Identifier: AP05
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: AP05
Client IP Address: 10.1.0.87
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: CERTSERV.domain1.com
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" />
<EventRecordID>49173</EventRecordID>
<Correlation />
<Execution ProcessID="484" ThreadID="532" />
<Channel>Security</Channel>
<Computer>CERTSERV.domain1.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data>
<Data Name="SubjectUserName">host/temp17-L.domain1.com</Data>
<Data Name="SubjectDomainName">USER</Data>
<Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data>
<Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data>
<Data Name="NASIPv4Address">10.1.0.87</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">AP05</Data>
<Data Name="NASPortType">Wireless - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">AP05</Data>
<Data Name="ClientIPAddress">10.1.0.87</Data>
<Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
<Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">CERTSERV.domain1.com</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">23</Data>
<Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>Nelson Ehis
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2012 10:32am
I was able to figure it out. It was something to do with the computer certificate not installed on the server. Go to Start Run type mmc and go to File Add or Remove Snap-ins Add Certificates under Available Snap-ins and hit ok and choose Computer
account and hit Next and hit Finish and OK. Click on teh + sing on Certificates (Local Computer)--> Personal-->Certificates - Right Click and Chooese All Taks and request a new Certificate - click next and Choose Active Directory Enrollment
Policy and Click Next - check box Computer and click on the Enrollment button.
A computer Certificate is created. And when the laptops are connected via a LAN connection it then pushes down the certs and thereafter they can begin to authenticate the corporate network.Nelson Ehis
August 24th, 2012 10:23am