Move a CA from Win2k3 to Win2k8 R2 (workgroup)
I need to move a CA currently on a Windows Server 2003 Enterprise SP2 to a Windows Server 2008 R2. The old and new computers are not part of our domain, they are workgroup computers. The CA is used only for generating certificates for our external partners and the CRL is not available for them/externally. Could someone provide the steps needed to take to migrate the CA. All I can find is information about domain joined, AD CS.
March 10th, 2012 9:09am

You need to follow the steps in the ADCS Migration Guide http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx The steps simplified are: Backing up CA database and private keyBacking up CA settings including CAPolicy.infRemoving the CA role service from the source serverAdding the CA role service to the destination server (after restoring the CAPolicy.inf)Restoring the CA database and configuration on the destination server /Hasain
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 10:22am

Thank you for your reply. These questions come up: should the new computer have the same computer name (even if we're not talking about domain members)? What steps do I need to take if it does not (please keep in mind the second bullet point as well).the source computer is named server1, but the CA name is ca1. Can/should the destination computer have a different computer name, but the same CA (ca1) name? Or can the CA name also be different (I doubt this)?why do I need to remove the CA role from the source server in this (workgroup servers) case? Wouldn't it be better to just disconnect it from the network, shut it down and if I'm having issues with the destination server bring it back up and continue using it.
March 10th, 2012 2:08pm

Changing the CA name is not supported and not technically possible unless you generate a new CA with a new name. Changing the server name is supported but you need to take care of the effects if the old name was used (the server name is used by default in both AIA and CDP URLs) in the old config. You are correct about not needing to remove the CA role from the old server and rather keeping it for recovery. /Hasain
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 2:37pm

OK. Probably not an issue, since the AIA and CDP URLs are not externally accessible from the source server as it is (it's not open to the internet). OK, I'll keep the old server disconnected and use it only if the new one causes any issues.
March 10th, 2012 2:46pm

You need to follow the steps in the ADCS Migration Guide http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx The steps simplified are: Backing up CA database and private keyBacking up CA settings including CAPolicy.infRemoving the CA role service from the source serverAdding the CA role service to the destination server (after restoring the CAPolicy.inf)Restoring the CA database and configuration on the destination server /Hasain
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 5:13pm

An additional (probably final) question. I already have a two tier PKI in place for our domain. Would it be possible to join the destination server (used for our external partners) to the domain without affecting the PKI that is already in place for our internal use? If so, how do I go about doing that? Apart from the two tier PKI I also have two additional (both root) CAs for IPsec NAP.
March 11th, 2012 4:37am

Adding another standalone CA on a member server is not going to affect your existing PKI structure in AD. The new standalone CA is going to be automatically trusted by AD and its members but will not affect AD in any other ways. /Hasain
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2012 5:03am

Adding another standalone CA on a member server is not going to affect your existing PKI structure in AD. The new standalone CA is going to be automatically trusted by AD and its members but will not affect AD in any other ways. /Hasain
March 11th, 2012 10:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics