Hi, i want to move a CA Enterprise Authority from w2k3 to w2k8r2. The Target Server Name is diffrent to the source server. I followd the CS Migration Guide from Microsoft. What i did: - backup CA db and registry source server - uninstalled service - installed Enterprise Authority Role - importet db and restored reg Settings - changes CAServerName in Registry to actual hostname But in the AD the CertificateAuthorities is still pointing to the old Server. CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=test But the CDP is updated with the new Hostname. In the Migration Guide for diffrent hostname Migrations: 1.If the target CA's computer name is different from the source CA's computer name, search the file for the host name of the source CA computer. For each instance of the host name found, ensure that it is the appropriate value for the target environment. Change the host name, if necessary. Update the CAServerName value. 2.If the host name is located in the .reg file as part of the CA name, such as in the Active value within the Configuration key or the CommonName value within the CAName key, do not change the setting. The CA name must not be changed as part of the migration. This means the new target CA must have the old CA's name, even if part of that name is the old CA's host name. Iam not very Familar to CS. What did i forget? Is it preferable trying to restore to the same hostname, as i see, the CA Authority name will always be the old name of the old server. So i dont have to reissue the root CA to all the Client, correct ? From the Migration guide i can only see when the hostname differs to change the CAName in Registry. Is this really enough? A first test to create a certificate seems to be successfull, but iam bit concerned about the AD stuff. Thanks; Marco

Yes, the CA Name cannot change. Review Amer Kamal's recent blog entry, as he has covered this subject in detail: http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

no, you CAN migrate quite with any scenario if the target is 2008+, and in a supported way: http://technet.microsoft.com/en-us/library/cc742388(v=ws.10).aspx o.