Greetings, The need is the following: Migrate an Enterprise Root CA from a Windows 2003 SP2 STD to Windows 2008 R2 SP1. The problem is the following: the article: http://support.microsoft.com/kb/298138 states: "Make sure that the %Systemroot% of the target server matches the %Systemroot% of the server from which the system state backup is taken." but in W2003 server, %systemroot% is "C:\WINNT" and in W2008 R2 SP1, %systemroot% is "C:\Windows" The question is: What would be the method to migrate the above CA? Thanks in advance!

This is wat you need to do :- (1) Backup old CA server 1. Note the certificate templates that are configured in the Certificate Templates folder in the Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory. They are not automatically backed up. You must manually configure the Certificate Templates settings on the new CA to maintain the same set of templates. (if the new CA server is in the same forest with the old CA server, you don’t need to care about the certificate template issue) Note The Certificate Templates folder exists only on an enterprise CA. Stand-alone CAs do not use certificate templates. Therefore, this step does not apply to a stand-alone CA. 2. Use the Certification Authority snap-in to back up the CA database and private key. To do this, follow these steps: a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard. b. Click Next, and then click Private key and CA certificate. c. Click Certificate database and certificate database log. d. Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server. e. Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it. f. Type and then confirm a password for the CA private key backup file. g. Click Next, and then verify the backup settings. The following settings should be displayed:  Private Key and CA Certificate  Issued Log and Pending Requests h. Click Finish. 1. Save the registry settings for this CA. To do this, follow these steps: a. Click Start, click Run, type regedit in the Open box, and then click OK. b. Locate and then right-click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration c. Click Export. d. Save the registry file in the CA backup folder that you defined in step 2d. 1. Remove Certificate Services from the old server. Note This step removes objects from Active Directory. Do not perform this step out of order. If removal of the source CA is performed after installation of the target CA (step 6 in this section), the target CA will become unusable. 2. Rename the old server, or permanently disconnect it from the network. (2) Install new CA server and restore 1. On the new server, run Server Manager 2. In Roles, choose Add Roles, check Active Directory Certificate Services 3. Click Next, Click Next 4. Check Certification Authority as well as Certification Authority Web Enrollment, click Next (if you are promoted for dependencies, click Yes). 5. Choose Enterprise click Next. 6. Choose Subordinate CA, click Next. 7. Choose Use Existing private key and Select a certificate and use its associated private key, click Next 8. Select Import… and pick up the certificate file in the folder that stores the CA backup in part (1), key in the password you set in part (1), click OK 9. Click Next, and Next 10. Choose Install and wait for it completed, click Close 11. Run certsrv.msc. 12. Select the server name, click Stop the Service. 13. Select server name, right click, from All Tasks->Restore CA… 14. Click Next, check “Private key and CA certificate” and “Certificate database and certificate database log” 15. Choose the backup folder for restore from this location and click Next. 16. Key in the password you created during the backup and click Next to finish the wizard, after that you can start the CA service again. 17. Import the registry setting (reg file you backup from old server), start registry editor, locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration, change the C:\Winnt to C:\Windows in the following values, "DBDirectory" "DBLogDirectory" "DBSystemDirectory "DBTempDirectory" "CACertPublicationURLs" "CRLPublicationURLs" and restart CA service. 18. Start a command prompt by “Run as administrator” 19. Run command “certutil -setreg CA\SetupStatus -SETUP_UPDATE_CAOBJECT_SVRTYPE” without quotes. 20. Restart Certificate ServiceBinu Kumar Small Business Server Support

This is wat you need to do :- (1) Backup old CA server 1. Note the certificate templates that are configured in the Certificate Templates folder in the Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory. They are not automatically backed up. You must manually configure the Certificate Templates settings on the new CA to maintain the same set of templates. (if the new CA server is in the same forest with the old CA server, you don’t need to care about the certificate template issue) Note The Certificate Templates folder exists only on an enterprise CA. Stand-alone CAs do not use certificate templates. Therefore, this step does not apply to a stand-alone CA. 2. Use the Certification Authority snap-in to back up the CA database and private key. To do this, follow these steps: a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard. b. Click Next, and then click Private key and CA certificate. c. Click Certificate database and certificate database log. d. Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server. e. Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it. f. Type and then confirm a password for the CA private key backup file. g. Click Next, and then verify the backup settings. The following settings should be displayed:  Private Key and CA Certificate  Issued Log and Pending Requests h. Click Finish. 1. Save the registry settings for this CA. To do this, follow these steps: a. Click Start, click Run, type regedit in the Open box, and then click OK. b. Locate and then right-click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration c. Click Export. d. Save the registry file in the CA backup folder that you defined in step 2d. 1. Remove Certificate Services from the old server. Note This step removes objects from Active Directory. Do not perform this step out of order. If removal of the source CA is performed after installation of the target CA (step 6 in this section), the target CA will become unusable. 2. Rename the old server, or permanently disconnect it from the network. (2) Install new CA server and restore 1. On the new server, run Server Manager 2. In Roles, choose Add Roles, check Active Directory Certificate Services 3. Click Next, Click Next 4. Check Certification Authority as well as Certification Authority Web Enrollment, click Next (if you are promoted for dependencies, click Yes). 5. Choose Enterprise click Next. 6. Choose Subordinate CA, click Next. 7. Choose Use Existing private key and Select a certificate and use its associated private key, click Next 8. Select Import… and pick up the certificate file in the folder that stores the CA backup in part (1), key in the password you set in part (1), click OK 9. Click Next, and Next 10. Choose Install and wait for it completed, click Close 11. Run certsrv.msc. 12. Select the server name, click Stop the Service. 13. Select server name, right click, from All Tasks->Restore CA… 14. Click Next, check “Private key and CA certificate” and “Certificate database and certificate database log” 15. Choose the backup folder for restore from this location and click Next. 16. Key in the password you created during the backup and click Next to finish the wizard, after that you can start the CA service again. 17. Import the registry setting (reg file you backup from old server), start registry editor, locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration, change the C:\Winnt to C:\Windows in the following values, "DBDirectory" "DBLogDirectory" "DBSystemDirectory "DBTempDirectory" "CACertPublicationURLs" "CRLPublicationURLs" and restart CA service. 18. Start a command prompt by “Run as administrator” 19. Run command “certutil -setreg CA\SetupStatus -SETUP_UPDATE_CAOBJECT_SVRTYPE” without quotes. 20. Restart Certificate ServiceBinu Kumar Small Business Server Support

You can refer below article. Migrate/Upgrade CA from windows 2003 to windows 2008/R2 http://awinish.wordpress.com/2011/02/05/migrateupgrade-ca-from-one-2003-to-2008r2/ Regards Awinish Vishwakarma MY BLOG: http://awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

Hello, see this article about CA migration: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx Better to ask them here for more information: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, %systemroot% in Windows Server 2003 is C:\Windows if OS is installed on C: drive. To migrate Windows Server 2003 CA to Windows Server 2008 R2 CA, I suggest you follow this guide: Active Directory Certificate Services Migration Guide http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx Regards, Bruce

Thankyou Bruce-Liu for your response. The Windows 2003-based CA was upgraded from Windows 2000 Server. This is the reason because %systemroot% is "C:\WINNT".

Thank you BinuKumar for your response. This procedure was the answer in a lab environment. But in production environment I get a related problem (http://social.microsoft.com/Forums/en-US/partnerwinserver7rcthreads/thread/84b3312a-354a-44fd-b201-6745a7e8bf4e) Thanks to all of you for your help.