hi stupidly i installed a CA on a windows 2003 domain controller which i now need to replace with a windows 2008 r2 domain controller. i was wondering my best options to migrate and possibly split the DC and CA roles as well. I only have 2 certificates signed by this CA (one for wireless authentication with our cisco accesspoint) and one for our lync server and blackberry server so both are easily replaced althought the certificate for the wireless services would require me to change 30 odd laptop settings) my question is would it be easier for me to just start from scratch or should i try and migrate both roles onto different servers (should i just keep them on 1 server, we are a small outfit with 25 users so not keen on having too many servers) if i migrate the server roles onto new servers should i keep the same hostname (ran into some issues with renaming DC's yesterday so not keen on that) or just different names, would i be able to use the same ip addres though? many thanks

Regarding ADCS migration, changing the name is supported but it is not recommended if not absolutely necessary because of the additional administration needed to keep the hostname history. Because you only have 2 issued certificates it should be quite easy to migrate to a new CA: Extend the CRL validity period of the current CA to cover the validity period of the issued certificates Publish the CRL and make sure it is updated with the new validity time Uninstall the current CA but keep the CA trusted in AD and other systems that already using it, as well as keeping the CRL published and available Start a new CA and begin planing for replacing the old CA (the 2 issued certificates!) /Hasain

thanks for that do i extend the CRL validity by using this method? http://technet.microsoft.com/en-us/library/cc753863.aspx#BKMK_Rev_Domain is there a particular way to uninstall the current CA but keeping it trusted in CA? many thanks

To configure the CRL validity/publication interval: Open the Certification Authority snap-in In the console tree, right-click the Revoked Certificates container, and click Properties Adjust the CRL publication interval for CRL and Delta CRL if Delta CRL checkbox is enabled Click OK to save changes In the console tree, right-click the Revoked Certificates container, and click All Tasks -> Publish Click OK to publish the CRL You only need to remove/uninstall the Certification Authority and it will keep the trust and the CRL in AD. /Hasain