My CA has already been migrated once several years ago to 2008 R2 Domain controller. The Certifcate name is the name of the ORIGINAL server, call it EXCHANGE and it lives on a server called DOMAIN_CONTROLLER_1 I want to move the CA to DOMAIN_CONTROLLER_2 (also 2008 r2 DC) so I can decommission the old server DOMAIN_CONTROLLER_1 As the CA name is not DOMAIN_CONTROLLER_1, do I actually need to rename anything as part of this process? All the certs carry the name EXCHANGE Using: http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_ImportCACert as reference.

Thanks Angelo, just to clarify - your situation had a CA name of EXCHANGE but was running from a server with name OLD_SERVER and you moved it to the server with name NEW_SERVER and kept the CA name as EXCHANGE throughout the operation?

Finally got around to this and used a new server for the job. All seems to have transferred OK, no errors at any point, nothing in event log. Only changes I made were the "CAServerName" value in the registry key and granting the new server full permissions on the varuious AIA and CDP apths in AD/Sites and Service PKI as per MS inctructions. I've only just completed but testing on a PC, I can't pickup any new certs, ALL show as unavailable. This might be AD replication yet to occur or a problem. Tests below: certutil -getreg CA\CRLPublicationURLs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\EXCHANGE\CRLPublicationURLs: CRLPublicationURLs REG_MULTI_SZ = 0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl CSURL_SERVERPUBLISH -- 1 CSURL_SERVERPUBLISHDELTA -- 40 (64) 1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 CSURL_ADDTOCRLCDP -- 8 CSURL_SERVERPUBLISHDELTA -- 40 (64) 2: 0:http://%1/CertEnroll/%3%8%9.crl 3: 0:file://%1/CertEnroll/%3%8%9.crl CertUtil: -getreg command completed successfully. certutil -getreg CA\CACertPublicationURLs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\EXCHANGE\CACertPublicationURLs: CACertPublicationURLs REG_MULTI_SZ = 0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt CSURL_SERVERPUBLISH -- 1 1: 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 2: 0:http://%1/CertEnroll/%1_%3%4.crt 3: 0:file://%1/CertEnroll/%1_%3%4.crt CertUtil: -getreg command completed successfully. certutil -crl CertUtil: -CRL command completed successfully. Do I need to add a CNAME in DNS to point requests to EXCHANGE to go to my new CA?

Gave it a bit more time (and a PC reboot) and could now renew my Wireless certificate, looks pretty happy - still wondering if I need to add a CNAME though?