Can you clarify what specifically you mean by "certificate store"? Are you referring to two separate Certificate Authority servers? If so, are they part of the same PKI infrastructure - and, if so, what's the relationship between them (root vs. subordinate)? The migration process would be dependent on these factors - but, in any case, for details you should refer to the Security Technet forum (as Awinish has pointed out) at http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads hth Marcin

You will want to keep the certifiate server name the same as you move the services from one server to another. You will probably be going from a 32 bit machine to a 64 bit machine but this should all be ok. See a brief log I have on moving a cert server along with the link I used to upgrade at: http://blogs.dirteam.com/blogs/paulbergson/archive/2010/10/18/upgrade-certificate-server-from-32-to-64-bit.aspx -- Paul Bergson MVP - Directory Services MCITP: Enterprise Administrator MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, Vista, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Awinish, thanks for your reply. The first link seems to have everything I require in in but why do they (MS) uninstall all services relating to certificate store before importing onto replacement server? Can it be done without uninstallation or is this a prerequisite? (I ask as if it does not work it is more work to get back if it has all been uninstalled from the source machine) Thanks K

Hi Marcin, Well I'm not 100% sure as I'm just picking up the IT here but the cert store on the 2003 DC is (I presume is) the root CA as the Certification Authority is "Company Name CA" Whereas on the Enterprise server someone has created a Certification Authority with a name "ECA" I am guessing that someone here, at some point in time needed an Enterprise CA and so created this one... how do I find out thier relationship to eachother? I am planning on leaving the Enterprise CA alone (ECA) and just migrating the "Company Name CA" to a new 2008 R2 Domain controller. Cheers K

To avoid the conflict between the two server hosting the same configuration or with same name and also you are going to have backup which can be used for roll back. http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

All Awinish, thats what I figured thanks. Regarding subordinate vs root I have had a better look and can see that the ECA cert authority is a subordinate of the "Company Name CA" authority, will this migration effect that relationship? K

As mentioned earlier, refer to http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads hth Marcin

Surely it will effect and i agree its better to move or post this question in a security forum to be better served by the Certificates services experts. Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

Thanks, can I move or does a moderator have to do it? K

Moderator can move this thread, once they come across. Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

Hi All, I have two cert stores on my domain, one is on a Windows 2003 (Standard) Domain Controller & one is a Windows 2003 (Enterprise) Server - Not a DC. I need to decommission the domain controller and wish to create another cert store on an existing Windows Server 2008 R2 Enterprise Domain Controller. Will creating a cert store on 2008 R2 invalidate / put at risk my existing certificates or will it just sit side-by-side? In addition, I have two sites, do I need a cert store for each site? Cheers K

You can migrate/move to certificate to another windows 2008 or above member server. You don't need certificate server on each and every site. While moving the certificate server to another server make sure you don't change the certificate name but server name can be changed. http://awinish.wordpress.com/2011/02/05/migrateupgrade-ca-from-one-2003-to-2008r2/ If above post, doesn't answer you query you can post this thread in a dedicated forum for certificate services. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

Hi All, Bit of background to this post: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/fdbfadcc-92cb-47fb-ae21-c1a86c2e3913 Basically I have one Windows 2003 Domain Controller that is the Root CA and another Windows 2003 Ent Server (not a DC) that is a subordinate CA. I wish to migrate the Root CA to a 2008 R2 Standard CA (Domain Controller) I think the previous post covered the migration but I want to know if this migration will effect the subordinate CA? Sorry if this dupes the post, thread was moved and I'm not sure if anyone will dig into it. Cheers K

I'm not sure how moving my new thread to the bottom of this thread helps .....especially seeing as this thread has been abandoned! In summary I am asking whether or not moving a CA from one server to another affects it's subordinate CAs.. Thanks K

May be any of the moderator will chime in who visit the threads time to time and move the thread to appropriate forum. Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.