Hello, all. To accommodate certificate duplication for DirectAccess, I need to move my enterprise CA from its current home, a Windows 2008 Standard Server, to a new server with Windows Server 2008 Standard R2. I've poured through a number of white papers and forum posts and my head it spinning. 1. Does an enterprise CA have to live on a domain controller? Or is it best to place it on a member server? 2. I need to keep the DC where my enterprise CA currently lives so I will not be decommissioning this server. I get the impression that moving my CA to another server with a different name may cause issues. Is that the case? 3. Would it be easier to upgrade my existing CA to either Server R2 or Server Enterprise instead of moving my CA to another server. 4. Can a CA move be done during production hours? Should I wait until the weekend? Any additional guidance, tips, comments would be greatly appreciated. Thank you.

> Does an enterprise CA have to live on a domain controller? Or is it best to place it on a member server? no. As a best practice you should not combine domain controller with CA server role. CA server MUST be a non-DC and should be simple member server (of course a member of AD forest). > I need to keep the DC where my enterprise CA currently lives so I will not be decommissioning this server. I get the impression that moving my CA to another server with a different name may cause issues. Is that the case? Since CA migration from one server to another (with different names and computer account) is not trivial you may need consulting support. > Would it be easier to upgrade my existing CA to either Server R2 or Server Enterprise instead of moving my CA to another server. this is easiest way. However if you have additional licences you should consider to move CA server to a dedicated machine (this is really big question and depends on issued certificate count and requirements to CA server availbility and security measures). > Can a CA move be done during production hours? Should I wait until the weekend? you can and it is possible. However this may require consulting support. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

1. No, it does not have to live on a DC. As a matter of fact, I typically prefer that it does NOT. Put it on a member server. 2. 3. 4. See the CA migration guide. That's ultimately what you're looking at doing. It's just as valid for 2008R2 as it is for 2008. Download it here: Active Directory Certificate Services Upgrade and Migration Guidance http://www.microsoft.com/downloads/en/details.aspx?familyid=C70BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=en You'll especially be interested in the section titled: Example: Moving a CA from a Domain Controller Thanks!

Thank you for the responses. Digging through the document Sean linked. Funny, I've spent two work days digging through the Web for info on this process and never found that document. Really helpful. Clarification question regarding the following paragraph: Certificate templates. Certificate templates were introduced with Certificate Services in Windows 2000 Server. These version 1 certificate templates could not be modified, with the exception of permissions, and did not support autoenrollment. In Windows Server 2003, version 2 certificate templates were introduced and required a server running Windows Server 2003 Enterprise Edition. Version 2 templates could be modified by using the Certificate Templates Microsoft Management Console (MMC) snap-in and offered support for autoenrollment. In Windows Server 2008 Enterprise, version 3 certificate templates add support for Cryptography Next Generation (CNG) and require client computers that are running Windows Vista®. I want to be certain the Windows Server Standard 2008 R2 will provide the same AD CS features found in Server 2008 Enterprise. I am conducting this CA migration specifically to facilitate a DirectAccess implementation and need to be able to duplicate templates and configure auto enrollment for my clients. Will R2 allow this?

Yes, Windows Server 2008 R2 provides the same functionality (but greatly enhanced) so you can safely migrate your current CA to a new Windows Server platform.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Yes, with 2K8R2 all of the stuff that required Enterprise before is now available in Standard. Concerning version 3 templates though, you don't need them for DA. You can use them if you like, but if you plan on creating a cert template for clients that will service both your DirectAccess clients and your non-DA clients, then use version 2 templates. That way Windows XP clients can get them as well (assuming you have XP clients). The PKI requirements for DA are relatively light. The one thing you want to make sure you get right is the externally facing CRL Distribution Point (CDP). Well ok, you want to get everything right :-) but that's the piece most people stumble on.

Sean, If I may, I posted this thread last week in another forum regarding setting up DirectAccess: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4e720bc-044f-48fe-9adb-ebb0e7a76672/#850855c0-b6a6-48aa-8f5d-d7c51077f59a The short of it is, I need either 2008 R2 or Enterprise in order to duplicate my certificate templates and enable auto enrollment for my clients. I am unable to do this with my current enterprise CA which is a 2008 Standard server. Thank you.

Sean, If I may, I posted this thread last week in another forum regarding setting up DirectAccess: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4e720bc-044f-48fe-9adb-ebb0e7a76672/#850855c0-b6a6-48aa-8f5d-d7c51077f59a The short of it is, I need either 2008 R2 or Enterprise in order to duplicate my certificate templates and enable auto enrollment for my clients. I am unable to do this with my current enterprise CA which is a 2008 Standard server. Thank you. yes, you need Windows Server 2008 R2 Standard or Windows Server 2008 Enterprise SKUs.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

You're exactly right. The problem is you're running standard. Windows 2003 Enterprise would work just as well (but why would you want to do that?). My point is the certificate requirements for DA aren't really complicated. You just have to have the right OS to get the certificates issued :)