hi stupidly i installed a CA on a windows 2003 domain controller which i now need to replace with a windows 2008 r2 domain controller. i was wondering my best options to migrate and possibly split the DC and CA roles as well. I only have 2 certificates signed by this CA (one for wireless authentication with our cisco accesspoint) and one for our lync server and blackberry server so both are easily replaced althought the certificate for the wireless services would require me to change 30 odd laptop settings) my question is would it be easier for me to just start from scratch or should i try and migrate both roles onto different servers (should i just keep them on 1 server, we are a small outfit with 25 users so not keen on having too many servers) if i migrate the server roles onto new servers should i keep the same hostname (ran into some issues with renaming DC's yesterday so not keen on that) or just different names, would i be able to use the same ip addres though? many thanks

Regarding ADCS migration, changing the name is supported but it is not recommended if not absolutely necessary because of the additional administration needed to keep the hostname history. Because you only have 2 issued certificates it should be quite easy to migrate to a new CA: Extend the CRL validity period of the current CA to cover the validity period of the issued certificates Publish the CRL and make sure it is updated with the new validity time Uninstall the current CA but keep the CA trusted in AD and other systems that already using it, as well as keeping the CRL published and available Start a new CA and begin planing for replacing the old CA (the 2 issued certificates!) /Hasain

thanks for that do i extend the CRL validity by using this method? http://technet.microsoft.com/en-us/library/cc753863.aspx#BKMK_Rev_Domain is there a particular way to uninstall the current CA but keeping it trusted in CA? many thanks

To configure the CRL validity/publication interval: Open the Certification Authority snap-in In the console tree, right-click the Revoked Certificates container, and click Properties Adjust the CRL publication interval for CRL and Delta CRL if Delta CRL checkbox is enabled Click OK to save changes In the console tree, right-click the Revoked Certificates container, and click All Tasks -> Publish Click OK to publish the CRL You only need to remove/uninstall the Certification Authority and it will keep the trust and the CRL in AD. /Hasain

hi i am still arranging for a maintenance window (possibly next Friday evening) when i launched the CA msc console on the CA i noticed that under issued certificates i had -Domain Controller certificates based on the Domain Controller Certificate -EFS based certificate templates for 3 of our users (none of which have any knowledge of ever creating it can i safely remove the domain controller certificates without causing any AD issues, and how about those Basic EFS certificates? regards

All certificates are going to continue be valid after the "shutdown" of the current CA. If you do not want to issue any more certificates from the CA, you just need to remove the templates from it. The DC certificate is going to be replaced automatically whenever removed and there is an enterprise CA available again. Make sure that the DC it not depending on the certificate for LADP SSL or similar setup before removing it. There should not be any risks of loosing user data if the users are not actively using EFS. The best option is to check with the users and verify before replacing the EFS certificates. Additionally it is recommended to configure an EFS recovery policy by configuring EFS Recovery Agents http://technet.microsoft.com/en-us/library/cc962057.aspx. /Hasain