Setting Up 2008R2 Virtual Server For Migration Of Certificate Authority From 2003
I have a few startup questions that don't seem to be answered completely in the MSKB docs that I have found. I have an operating (but low on space) virtual Win2003 certificate authority machine with File Server and Application Server roles assigned. It has Certification Authority Installed. I have built and updated a virtual 2008R2 server and want to make sure that I install the proper roles and features. Under Roles I see Active Directory Certificate Services. Since this is only to be a cert server I believe that this is the only role that needs to be applied, correct? Since the certificate issue and revocation is transparent to the user I beleve that the only service to be enabled is Cetification Authority, correct? After going deeper into the wizard I am wondering if I can set this up to play with while the other server is still operational. The plans are to replace the old OMCA server with this one by importing everything in about two months. We only have one afternoon per month to do the simpler stuff and although this is detailed it does not look too hard to accomplish. I still want to do as much prep work as possible to ensure that it goes smoothly and in a timely manner. All previous experiences and guidance accepted. Thanks.
September 26th, 2012 8:47am

Hi, If you're wanting to replace your existing CA with a new server and also retain the CA name, database, etc, you should have a look at these two articles: http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx I've used these articles to move a CA successfully to new hardware on several occasions. In answer to your question about server roles, if all you are wanting the server to do is be a CA and issue certificates, installing just the Certificate Authority role will be fine. Steve G
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2012 2:59pm

Hi, If you're wanting to replace your existing CA with a new server and also retain the CA name, database, etc, you should have a look at these two articles: http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx I've used these articles to move a CA successfully to new hardware on several occasions. In answer to your question about server roles, if all you are wanting the server to do is be a CA and issue certificates, installing just the Certificate Authority role will be fine. Steve G
September 26th, 2012 3:11pm

Have you been successful with setting the server up prior to migration? If so, what is the best approach? From what I saw this is a complete migration from beginning to end with no point in the middle to test anything on the new while the old is still operational.
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2012 11:06am

Hi, What is it that you are wanting to test? If it is just a case of checking certificate enrollment and revocation you can always just add a CA to your hierarchy and restrict it to issuing certificates to a subset of users by setting appropriate permissions on the templates. A better solution would be to do whatever testing you need to do in a virtual environment on your desktop or laptop. Testing in a production environment should always be treated with a degree of caution! Steve G
September 27th, 2012 11:39am

Hi, What is it that you are wanting to test? If it is just a case of checking certificate enrollment and revocation you can always just add a CA to your hierarchy and restrict it to issuing certificates to a subset of users by setting appropriate permissions on the templates. A better solution would be to do whatever testing you need to do in a virtual environment on your desktop or laptop. Testing in a production environment should always be treated with a degree of caution! Steve G
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2012 11:42am

I have the physical server already set up and have reviewed quite a few of the migration documents. I try to err on the side of caution and have a backup plan whenever possible. That approach leads me to do as much testing as possible before going live with system modifications. The documentation seems quite straightforward in the approach of backing up and restoring the CA. It looks like I can't set this up with a different CA name, perform some preparatory setup steps, and then change it to the current CA name/ip after bringing the old one down. I guess I will have to go with it and plan to keep the current server operational if the migration does not proceed as planned.
October 1st, 2012 4:34pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics