Move a CA server from Domain Controller to another member server of the domain in Windows 2003 server
I went through the threads and could not find a definite answer to this. There was a thread similar to what I wanted but the answers beat around the bush with links to KB articles. So, I will present my scenario and then also the links I went to so that it saves everyone trouble. The server system is windows 2003 and domain functional level is windows 2000 mixed. I have a root enterprise CA running on a domain controller which is at 100% CPU most of the times due to lsass and system processes (had tried to get help from the forum on how to correct that but no definite answer. sigh!). I would like to move the CA to a different server (non domain controller). Please note that I WON"T be able to RENAME the old server, that is, the current domain controller with enterprise root CA (I didn't set it up. Apparently some consultants did ages back. I happen to inherit the mess). So, here are my questions: Since I won't be able to rename the current server hosting the CA services, is there alternative way to move the enterprise root CA to a member server of the domain? If above cannot be done, how do I go about creating a new CA infrastructure? This is what I have in mind: (1) install a separate enterprise root CA and take it offline while another server does the work of issuing the root certificates. (2) Make sure all the services and servers use the certificates issued by the new CA. (3) Revoke the certificates distributed by the current CA. (4) Uninstall the current CA from the domain controller. I have been through these links: This link suggests moving CA to another domain controller. This is not what I want. http://support.microsoft.com/kb/555012 I need to migrate to a different server that is a member of the domain but not a domain controller itself. This link talks about moving the CA to another server but requires that you RENAME the old server. http://support.microsoft.com/kb/298138 I will not be able to rename the old server. So this doesn't work for me. This forum talks about demoting a domain controller with CA on it. I am not planning to demote the current domain controller first. Before I do so, I need to make sure that all the services running on that machine is migrated to a different server. This link also forwards you to the link above. So, it doesn't help. http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/d922860b-c8cd-4ed5-9b0b-05391c18afc0 This forum forwards you to one of the links above and has the same issue about RENAMING the old server. http://social.technet.microsoft.com/Forums/en/winservergen/thread/7964bbe8-c5f5-439a-bcf7-34b54da0f6db. In addition there is a new link in the above forum that also mentions about RENAMING the old server. http://technet.microsoft.com/en-us/library/cc755153(WS.10).aspx. And this link talks about moving CA to another domain controller. So this doesn't help either. http://social.technet.microsoft.com/forums/en-us/winserverDS/thread/7E8B15EC-C1AA-4368-9B38-BB89E9EB9418 It would be awesome if the old server remained as it was after migration without having to rename it. Since, that seems to be "unanswerable", is there a plan/guideline I could follow to have a separate root CA installed in a member server, to make the domain controllers and other services in the domain that are reliant on the current CA use the root certs issued by the new CA, and then to decommission the current CA without disrupting services? Thank you for your time!
November 3rd, 2010 4:38pm

Hi, If there is a Windows Server 2008 computer available, you can move the CA to the server. For detail information, please see http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx Hope it is helpful for your work.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2010 12:55am

Thanks for the response. In Option A: Migrate the CA to a New Host, it mentions "Update CRL distribution point and authority information access extensions after a host name change". This line confuses me. Does the "host name change" in this refer to the fact that the CA is now restored on a different host? Also, how about if I do this? Install a new standalone root CA. Install a subordinate standalone CA. Take the root CA offline. Install an enterprise issuing CA (eg. Server X). Take the subordinate CA offline. The enterprise issuing CA will be responsible for distributing the certs. Have the services and applications use the new certs issued by Server X. Revoke the certs from the old root CA. Update CRL. Uninstall, the old root CA. Thanks.
November 9th, 2010 3:44pm

Thanks for the response. In Option A: Migrate the CA to a New Host, it mentions "Update CRL distribution point and authority information access extensions after a host name change". This line confuses me. Does the "host name change" in this refer to the fact that the CA is now restored on a different host? Yes. Restore the CA on the target computer with different host name, and then update the CDP and AIA. Of course, you can install a new PKI hierarchy. To decommission the old CA, you can refer to the following KB article: http://support.microsoft.com/kb/889250This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2010 11:55pm

Two more cents for confirmation, please. "Restore the CA on the target computer with different host name, and then update the CDP and AIA". So, if my current enterprise root CA is on server hostnameA (windows 2003 standard edition) then I can restore it to windows 2008 server hostnameB and still keep the hostnameA and hostnameB in the network without renaming hostnameA? Since the article mentions it applies to windows 2008, I am assuming you cannot restore it to another windows 2003 server without having to rename the old server. A new PKI infrastructure won't hurt the current infrastructure (actually there's only one root CA) and when it is installed, one can get rid of the old CA following the link posted by you? Thank you.
November 10th, 2010 10:53am

Hi, 1. Yes, it only applies to Windows Server 2008. 2. After you install a new CA, you can remove the old one. However, you need to issue certificate to all subject again. It means that you re-deploy the PKI environment from scratch. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 11th, 2010 2:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics