Hello, We have an environment where we have an offline root CA, and en intermediate subordinate CA which happens to be the Enterprise CA and issuing CA. During the domain upgrade process, we decided us to move the CA role which was running on a DC to a memberserver. As the DC will be kept intact, we could not reuse the name and ip hence both were changed during the migration. We have followed the articles described at technet inorder to perform the migration. To sum up the moves - Backup CA configuration on Source CA (Windows 2003 Intermediate CA running Enterprise and being a DC) - Backup registry from above CA. - Copied all CRL's and certificates which are required. - Installed the new server which is Memeberserver using existing keys. - Restore of registry and changes in settings accordingly. After this when we try to start the Certification service we are getting a nasty error stating "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2." described here: http://technet.microsoft.com/en-us/library/cc774550(WS.10).aspx I have tried most of the resolution mentioned here with having any result. I have also tried to disable CRL checking using Certutil -CRL ca\CRL_CHECK_REWOKE something like this. But still it didnt help. Looking in PKIview and from Event viewer i se CA certificate and CDP location return OK. It seems like there is some sort of problems with the certificate for the Intermediate CA. I really dont understand what it could be, all aspects have been covered. Anyone who can point me in the right direction? Thanking you in advance. And really hope that someone can help me. Best regards, Sean Rao

the article http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx states that you must keep the same computer name on the hosting CA after migration. The current error says that either your keypair is not correct or the chain cannot be verified. The chain verification may fail since the CDP is bound mostly to the old DNS name (which is held by the previous CA).

Hello Alex, Dont really know what you mean by that. The article states the the Certification Authoriy name has to be same NOT the COMPUTER name. As far as the CDP is concerned, it should be publishing to the new location as well as AD. But that is not an issue since we cannot start the CA. Thanks for the reply anyways. Best regards, Sean Rao

On Mon, 4 Apr 2011 22:11:34 +0000, zeglory wrote: Dont really know what you mean by that. The article states the the Certification Authoriy name has to be same NOT the COMPUTER name. This is a direct quote from the article in question: Before joining the destination server to the domain, change the computer name to the same name as the source server. Note that this refers explicitly to the computer name and not the name provided for the CA. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Machine-independent: Does not run on any existing machine.

Thank you for the reply Paul. But I think that we are concentrating on something that really isnt releated to my problem. As you might see from http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx Scenarios and Related Tasks The common upgrade and migration scenarios are described as follows: Hardware change Move a certification authority (CA) from one computer to a different computer with a different hardware or operating system. This includes: x86 to x64 Physical computer to virtual computer (including Virtual Server and Hyper-V™) Single computer to Windows® failover cluster Enterprise edition to Standard edition Host name change Move a CA from one computer to a computer with a different host name. CA type change Move a CA from one installation type to another. This includes: Stand-alone CA to enterprise CA Enterprise CA to stand-alone CA Domain membership change Change the domain membership attributes of a CA, either on the same computer or in combination with moving the CA from one computer to another: Workgroup computer to domain member Domain member to workgroup computer Domain to different domain (in same forest) Migrate a CA from a domain controller This migration scenario has two subcomponents: Move a CA on a domain controller to a CA on a domain member (demoting a domain controller). Move a CA on a domain controller to a CA on a different computer (migrating a CA). Windows version or edition change This migration scenario has two subcomponents: In-place upgrade of Windows Server® 2003 to Windows Server 2008 In-place upgrade of Windows Server from the Standard edition to the Enterprise edition As I already have mentioned, we are combining a number of scenarios. To keep the orignal host name is not an option as that name is being utelized by a DC....... Rao