Re: Certification Authority

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Joe Wu [MSFT] (joewu_at_online.microsoft.com)
Date: 02/12/04 

Date: Thu, 12 Feb 2004 13:25:20 GMT

Hello Nathan,

Thank you for your reply. Yes, if the new CA server cannot use the old
server name, a quick solution is to rebuild another CA server and then
re-issue the certificates.

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: "Nathan" <Nathan@nathan.com>
|References: <OlCoLvF8DHA.2460@TK2MSFTNGP09.phx.gbl>
<CBrPgOL8DHA.2508@cpmsftngxa07.phx.gbl>
|Subject: Re: Certification Authority
|Date: Thu, 12 Feb 2004 10:00:52 +1100
|Lines: 108
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <OW7$pLP8DHA.2752@TK2MSFTNGP09.phx.gbl>
|Newsgroups: microsoft.public.windows.server.migration
|NNTP-Posting-Host: 203-213-65-162-mpls.tpgi.com.au 203.213.65.162
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.windows.server.migration:7738
|X-Tomcat-NG: microsoft.public.windows.server.migration
|
|Thanks for your reply Jo,
|
|Currently the CA server is on a DC with all five of our FSMO roles. The
|server is well over due for a hardware upgrade, I have only just started
|working with AD recently and we have a few replication problems with it.
|
|I have tried to transfer the FSMO roles to another domain controller
however
|I get FSMO errors. Microsoft's documentation suggests to force/seize the
|roles on another server, it also says that if you seize the roles to only
do
|it if the master will never become available again.
|
|We only really have a limited number of certificates a few web pages and
|mostly our domain controllers. Would I be able to build another CA server
|and re issue the certificates?
|
|Thanks again,
|Nathan.
|
|
|"Joe Wu [MSFT]" <joewu@online.microsoft.com> wrote in message
|news:CBrPgOL8DHA.2508@cpmsftngxa07.phx.gbl...
|> Hello Nathan,
|>
|> Thank you for your post.
|>
|> My name is Joe Wu, and it is my pleasure to work with you on this issue.
|>
|> We cannot move Certification Authority to a new server which has another
|> computer name because the server name information is part of the
Authority
|> Information Access (AIA) and Certificate Revocation List (CRL)
|distribution
|> point paths of all previously issued certificates.
|>
|> I think that if the existing CA server is offline, the issued certificate
|> will be affected. For example, since the CRL file is not available, the
|> certificate will not fuction correctly.
|>
|> Based on the current status, I still suggest that you try to use the same
|> server on the new CA server. Could you please let me know why you cannot
|> keep the same server name?
|>
|> Thanks!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! - www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Nathan" <Nathan@nathan.com>
|> |Subject: Certification Authority
|> |Date: Wed, 11 Feb 2004 15:59:11 +1100
|> |Lines: 22
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <OlCoLvF8DHA.2460@TK2MSFTNGP09.phx.gbl>
|> |Newsgroups: microsoft.public.windows.server.migration
|> |NNTP-Posting-Host: 203-213-65-162-mpls.tpgi.com.au 203.213.65.162
|> |Path:
|>
|cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09

Relevant Pages

  • Re: Help needed installing SBS 2003 on a 2000 domain
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... It said that the server ... | did not hold all the FSMO roles. ...
    (microsoft.public.windows.server.sbs)
  • RE: migrate windows 2000 DC sp3 to new server
    ... We recommend our customers use Ntdsutil.exe to transfer or FSMO roles. ... How to view and transfer FSMO roles in Windows Server 2003 ... Microsoft Global Technical Support Center ...
    (microsoft.public.windows.server.migration)
  • Re: Migrate out of SBS2003 to 2k3 Domain
    ... You can move the FSMO roles from the sbs server to the new win 2k3 server ... 312310 Description of the Microsoft Action Pack Subscription ...
    (microsoft.public.windows.server.sbs)
  • RE: Disabled time service causes FSMO trouble?
    ... check to make sure the Windows Time ... 829623 Default Services That Are Installed in Windows Small Business Server ... transfer the FSMO roles to the SBS server. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: FSMO roles?
    ... Microsoft Online Support ... Microsoft Global Technical Support Center ... | For FSMO roles transfer, ... How to view and transfer FSMO roles in Windows Server 2003 ...
    (microsoft.public.windows.server.migration)