Subordinate CA will not start after migration from 2003 to 2008 R2
Hello, We have an environment where we have an offline root CA, and en intermediate subordinate CA which happens to be the Enterprise CA and issuing CA. During the domain upgrade process, we decided us to move the CA role which was running on a DC to a memberserver.
As the DC will be kept intact, we could not reuse the name and ip hence both were changed during the migration.
We have followed the articles described at technet inorder to perform the migration. To sum up the moves
- Backup CA configuration on Source CA (Windows 2003 Intermediate CA running Enterprise and being a DC)
- Backup registry from above CA.
- Copied all CRL's and certificates which are required.
- Installed the new server which is Memeberserver using existing keys.
- Restore of registry and changes in settings accordingly.
After this when we try to start the Certification service we are getting a nasty error stating "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2." described here:
http://technet.microsoft.com/en-us/library/cc774550(WS.10).aspx
I have tried most of the resolution mentioned here with having any result. I have also tried to disable CRL checking using Certutil -CRL ca\CRL_CHECK_REWOKE something like this. But still it didnt help.
Looking in PKIview and from Event viewer i se CA certificate and CDP location return OK. It seems like there is some sort of problems with the certificate for the Intermediate CA. I really dont understand what it could be, all aspects have been covered. Anyone
who can point me in the right direction? Thanking you in advance. And really hope that someone can help me.
Best regards,
Sean
Rao
April 4th, 2011 10:44am
the article
http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx states that you must keep the same computer name on the hosting CA after migration.
The current error says that either your keypair is not correct or the chain cannot be verified. The chain verification may fail since the CDP is bound mostly to the old DNS name (which is held by the previous CA).
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 11:29am
Hello Alex,
Dont really know what you mean by that. The article states the the Certification Authoriy name has to be same NOT the COMPUTER name. As far as the CDP is concerned, it should
be publishing to the new location as well as AD. But that is not an issue since we cannot start the CA. Thanks for the reply anyways.
Best regards,
Sean
Rao
April 4th, 2011 6:18pm
On Mon, 4 Apr 2011 22:11:34 +0000, zeglory wrote:
Dont really know what you mean by that. The article states the the Certification Authoriy name has to be same NOT the COMPUTER name.
This is a direct quote from the article in question:
Before joining the destination server to the domain, change the computer
name to the same name as the source server.
Note that this refers explicitly to the computer name and not the name
provided for the CA.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Machine-independent: Does not run on any existing machine.
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2011 12:17am
Thank you for the reply Paul. But I think that we are concentrating on something that really isnt releated to my problem. As you might see from
http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx
Scenarios and Related Tasks
The common upgrade and migration scenarios are described as follows:
Hardware change
Move a certification authority (CA) from one computer to a different computer with a different hardware or operating system. This includes:
x86 to x64
Physical computer to virtual computer (including Virtual Server and Hyper-V™)
Single computer to Windows® failover cluster
Enterprise edition to Standard edition
Host name change
Move a CA from one computer to a computer with a different host name.
CA type change
Move a CA from one installation type to another. This includes:
Stand-alone CA to enterprise CA
Enterprise CA to stand-alone CA
Domain membership change
Change the domain membership attributes of a CA, either on the same computer or in combination with moving the CA from one computer to another:
Workgroup computer to domain member
Domain member to workgroup computer
Domain to different domain (in same forest)
Migrate a CA from a domain controller
This migration scenario has two subcomponents:
Move a CA on a domain controller to a CA on a domain member (demoting a domain controller).
Move a CA on a domain controller to a CA on a different computer (migrating a CA).
Windows version or edition change
This migration scenario has two subcomponents:
In-place upgrade of Windows Server® 2003 to Windows Server 2008
In-place upgrade of Windows Server from the Standard edition to the Enterprise edition
As I already have mentioned, we are combining a number of scenarios. To keep the orignal host name is not an option as that name is being utelized by a DC.......
Rao
April 5th, 2011 1:13am