Current Environment (1-tier): 1 Active Directory Enterprise CA, Win2003 32-bit Enterprise edition at the top level domain of our forest. 1 Active Directory Enterprise CA in another forest running Win2008 32- bit Standard Edition. Changing to 2-tier CA structure with 2008 cross-forest capabilities: 1 stand-alone, offline root CA, Win2008 64-bit standard Edition –stays in workgroup 1 or 2 Enterprise CA’s , Win2008R2 64-bit Enterprise Edition residing in their own “resource” forest that has a bi-directional forest trust to both the other forests. *need to know: I would like to start from scratch. Is that an option or do we have backup the old private key and import it to the new Root CA? (or to the Enterprise CA?) Do we need to migrate old templates & published certs, etc. to new Enterprise CA or to the new Root CA? What do we need to do with the existing CA that will be decommissioned? Should we uninstall the cert services but continue to publish the CRL’s on that machine? If so then how long do we leave that machine up? (and FYI the only 2003 CA doesn’t have the hardware to support an upgrade to 2008) Can I do 1 forest at a time or do I have to have both forests fully trusted before I can install certificate services, etc, etc? Is it a problem that I have a different hostname for the new Root CA and Enterprise CA? Is it a problem that I am going from a 32-bit OS to a 64-bit OS?

Let me give this a crack 1. I would like to start from scratch. Is that an option or do we have backup the old private key and import it to the new Root CA? (or to the Enterprise CA?) I think you are looking more at deploying a new PKi rather than migrated your existing PKI (based on your pre-amble). You can always migrate the private key into the machine store of the new PKI, but why are you doing it? Since you are changing the name, domain, forest, this is really not required. 2. Do we need to migrate old templates & published certs, etc. to new Enterprise CA or to the new Root CA? Not migrate, as much as redeploy/recreate. Remember that in cross-forest, you must replicate the certificate templates and OIDs from the resource forest to the account forest. Of course, if you are still using the same PKI-enabled apps, you will need to maintain the same types of certificate templates after the migration 3. What do we need to do with the existing CA that will be decommissioned? Should we uninstall the cert services but continue to publish the CRL’s on that machine? If so then how long do we leave that machine up? (and FYI the only 2003 CA doesn’t have the hardware to support an upgrade to 2008) You will need to keep the existing CA up to publish CRLs until either a) the last certificate issued by that CA expires or b) none of the certificates issued by the existing CA are still in use - ie. all certificate have been replaced by certificates issued by the new PKI. 4. Can I do 1 forest at a time or do I have to have both forests fully trusted before I can install certificate services, etc, etc? This is really an all in one migration. Yes, you can deploy certificates in the resource forest as soon as the CA is set up, but to issue cross-forest certificates to the account domain, you will need the full trust model established. 5. Is it a problem that I have a different hostname for the new Root CA and Enterprise CA? No, these are new CAs in a new CA hierarchy. 6. Is it a problem that I am going from a 32-bit OS to a 64-bit OS? No. In your case, you would not be migrating the CAs, but establishing new ones. But, you can backup from 32 bit 2003 and restore the database to 64 bit 2008 R2. The only other thing you have to consider for your migration is archived private keys. Brian

Thank you so much for that information. Ok so what I have done so far is created a new forest (resource forest), created 2 domain controllers (for redundancy), created a stand-alone root ca that is not in any domain, and I created a member server that will eventually be the enterprise subordinate ca once I install certificate services. From what you said, it sounds like my next steps are: 1. create the trust with the other forests 2. install certificate services on the new enterprise subordinate ca (and point it to the new root ca as it's root) 3. on the new ent sub ca, create the same templates and OID's that are on the old enterprise root ca 4. uninstall certificate services on the old enterprise root ca once the certificates it's issued expire. Does that sound right? Will it not cause errors to have the old ca on the network with cert services still installed (because that info would still be in active directory until the cert service is uninstalled)?

I am taking a different route but I have another question. Is there a way to convert a current Enterprise Root CA to an Enterprise Subordinate CA for our new Root CA?

Hi, I am afraid that it is impossible. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Brian, So far I have started on a completely new redeploy and it is almost finished. These are the steps I've taken so far: 1. setup a resource forest. 2. created a 2-way, transitive trust between the resource and the account forests. 3. created a offline root ca, not joined to any domain. 4. created a member server on the resource forest with Windows server 2008 enterprise and installed certificate services on that server. 5. requested the SubCA cert from the RootCA and got that installed on the SubCA. 6. published the RootCA and SubCA certs & crls in active directory in the resource forest. 7. published the RootCA and SubCA certs & crls in the account forest. 8. adjusted all the permissions on the Public Key Services containers in AD on both forests. Also made sure the Cert Publishers group in the account forest had the new SubCA in it. Also checked the Certificate Services DCOM group on the new SubCA and adjusted the permissions there. and now I am on the last step. I have copied everything from the resource forest to the account forest with the pkisync.ps1 script that is listed in the whitepaper from microsoft on the cross-forest certificate enrollment, but I got 1 error when doing so. The error in the script says: ------------------------------------------------------ WARNING: Error while coping an object. CN=SubCA WARNING: The specified directory service attribute or value does not exist. <Exception from HRESULT: 0x8007200A> WARNING: At c;\pkisync.ps1:273 char:44 + $NewDE.psbase.CommitChanges <<<< <> ----------------------------------------------------- Everything copies except for the object in the enrollment services container. It is in my resource forest, but not in the account forest. Is there any way I can get that copied into the account forest's enrollment services container? Or is it even supposed to be there? I am assuming so. The old CA is listed in the enrollment services container on the account forest, but as soon as I cna get this fully deployed then I will remove it. Thanks in advance!!!

Ok so after a few weeks of headaches I finally figured out what the problem is. This should probably be included in the next cross-forest certification whitepaper so no one else has to deal. Anyway, when you have a windows 2008 enterprise CA in its own forest and you're trying to use the cross-forest certificate enrollment with the other forest's schema at the windows 2003 level then autoenrollment will work, but you cannot use some of the new features of the windows 2008 CA. Basically when you install certificate services on the 2008 CA machine, do NOT install all of the roles. You can only install the "Certification Authority" and the "Certification Authority Web Enrollment" roles if you want auto enrollment to work. The reason for this is because when you try using the pkisync.ps1 script provided by Microsoft to copy objects from the resources forest to the account forest, you will get an error that you cannot copy the object in the enrollment services container if you have the other roles installed. This is because when you install the other roles, the AD object in the enrollment services container has new attributes that Windows 2003 doesn't know what to do with. Because of this, the object will not copy over. Autoenrollment will not work in the 2003 forest if that object is not copied over. Once you upgrade your schema to windows 2008, all the available roles can then be installed and configured and you will be able to use the new features of the Windows 2008 CA even in the cross forest pki environment. Note that if you need to have those role services installed, then web enrollment in the account forest will work just fine. Also, if you have a 2-tier pki structure and you would like to have all of the roles installed, then you can always keep the resource forest the way it is and install a 2008 member server in the account forest based on the Root CA. Then once you upgrade your schema to 2008, you can decommission the CA in the account forest and use the pkisync script to copy the objects from the resource forest to the account forest and the enterprise CA in the resource forest will work like it should. If you have already installed all the roles and you're having this issue, you can simply uninstall the new roles not supported by the 2003 schema and once you use the pkisync script and have the group policy setting in place for users and computers to autoenroll then everything should start working as it should. Best of luck.