Hi, We are going to replace our Windows 2003 Enterprise Root CA (Enterprise) with a new Windows 2008 R2 Enterprise Root CA (Enterprise), and was wondering what impact will this have on our WLAN that uses sertificates with EAP-TLS. We only have 1 Root CA. Anyone with best practice regarding this, or other good documentation would be nice. Regards Ole

you just need to migrate your current offline CA to a new box: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Hi, Thanks for fast reply, and excellent link. Btw, this is not a offline CA, its a online enterprise root ca, dont know if thats an issue, havent read the document on the link yet. Do you also have any good documentation when its from the same operating system, windows 2003 enterprise (root enterprise ca) migrating to new hardware but with same windows 2003 enterprise (root enterprise ca) ? But when we do this, will the wlan have any issues, will we need to enroll certificates for the nps, user + computer certificates over again ? Regards Ole

In short your steps are as follows: backup CA certificate with certificate key pairs (into PFX file). backup CA database and log files. backup CA configuration (HKLM\System\CurrentControlSet\Services\CertSvc\Configuration) into REG file. uninstall certificate services from the server. demote server from AD domain (unjoin to a workgroup). setup new Windows Server 2008 R2 box with the same name as old CA server computer name. join it to your AD domain. install certificate services. During installation you will have to specify existing Root CA certificate instead of generating new one. after setup is complete run Certification Authority MMC snap-in and perform database and log file restore. restore CA settings from previously created REG file. restart certificate services. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com