RE: Move Ent. Certificate Authority from DC and keep certs

From: Jon (Jon_at_discussions.microsoft.com)
Date: 01/09/05

Next message: Giobibo: "Re: NT4 mirgation: Win200 vs Win2003"
Previous message: Herb Martin: "Re: New 2003 server to be DC in small NT 4.0 network"
In reply to: Bob Qin [MSFT]: "RE: Move Ent. Certificate Authority from DC and keep certs"
Next in thread: Bob Qin [MSFT]: "RE: Move Ent. Certificate Authority from DC and keep certs"
Reply: Bob Qin [MSFT]: "RE: Move Ent. Certificate Authority from DC and keep certs"
Reply: jjhols: "RE: Move Ent. Certificate Authority from DC and keep certs"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 8 Jan 2005 21:07:01 -0800

Thanks for the reply Bob,

It's good to know that this procedure applies to DCs as well - I didn't
catch that.

However, it does state that the computer name must be the same for the new
CA as the old. Is there any other way around this?

I did not clearly state in my last post that we have two DCs in this forest.
DC1 and DC2. DC1 is the CA and is slated for demotion (or virtualization if
we can get it to succeed). DC2 holds most of the FSMO roles except
Infrastucture and Schema, so it is more 'active' in the domain/forest. If we
back up DC1's CA in preparation to move it to DC2 (or another DC), then it
sounds like we will need to demote DC1 before taking it offline and bringing
a new DC1 (same computername) online to restore the CA to.

With that in mind, how will the AD objects handle a new computer with the
same name as the old CA? Are the CA objects in AD associated with the
computer account for the CA (e.g. SID) ?

Any insights greatly appreciated!

"Bob Qin [MSFT]" wrote:

> Hi Jon,
>
> Thanks for your posting here.
>
> To move a CA from a DC to another DC, you can refer to the article of
> 298138.
>
> HOW TO: Move a Certification Authority to Another Server
> http://support.microsoft.com/?id=298138
>
> It also apply to Domain Controller.
>
> Have a nice day!
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> Subject: Move Ent. Certificate Authority from DC and keep certs
> Date: Thu, 6 Jan 2005 13:11:01 -0800
> Newsgroups: microsoft.public.windows.server.migration
>
>
> Is it possible to move an AD integrated CA installed on a DC to
> another
> computer (AD DC or otherwise?).
>
> Our requirement is to demote an old DC with Enterprise CA installed
> and
> rebuild the hardware for different production server roles.
>
> The only Articles I have been able to locate are:
> ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
> ID 298138 - Move a CA to another server (Windows 2000, Stand-alone)
> ID 555012 - How to move a CA to a new [DC] (this article is written
> very
> poorly and requires three computers to accomplish).
> Much searching of newsgroups and such have not netted any positive
> results
> yet.
>
> We have tried using VSMT but have not been successful yet. Failing
> this, we
> may have to demote the CA server and likely revoke all active certs
> and issue
> new ones on the new Ent CA. This will cause inturruption of active
> services
> that use certs for secure (tunnelled, authenticated) communciations,
> which
> could impact many users, therefore we would like to avoid that.
>
> Moving the EntCA is a last resort option, but I want to research it
> before
> we potentially have to use it. Any ideas, feedback, or experience you
> can
> share would be helpful.
>
> --
> -Jon
>
>
>

Next message: Giobibo: "Re: NT4 mirgation: Win200 vs Win2003"
Previous message: Herb Martin: "Re: New 2003 server to be DC in small NT 4.0 network"
In reply to: Bob Qin [MSFT]: "RE: Move Ent. Certificate Authority from DC and keep certs"
Next in thread: Bob Qin [MSFT]: "RE: Move Ent. Certificate Authority from DC and keep certs"
Reply: Bob Qin [MSFT]: "RE: Move Ent. Certificate Authority from DC and keep certs"
Reply: jjhols: "RE: Move Ent. Certificate Authority from DC and keep certs"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: DNS/AD problems after demoting first server in AD
... First, before you demote it, did you transfer FSMO to other DCs? ... DNS role if the DNS is stored in AD. ... I had to demote a server that was a GC, ...
(microsoft.public.win2000.dns)
Re: Making another DC the Primary
... it now has three because I intend to demote the ... First of all they are both "just DCs". ... What will you do with this server if your retire it as a DC? ... It is supposed to do that -- and it will IF the DNS and other ...
(microsoft.public.win2000.active_directory)
Error while Transferring FSMO Roles
... The old DC that we want to demote has the Operations master roles for the ... Before the cutover and demotion of the old server we wanted to transfer the ... The Infrastructure operations master role should not be transferred to a gc ... all DCs in our forest are GCs. ...
(microsoft.public.windows.server.active_directory)
RE: First Enterprise Root CA - [WP]
... am getting this error on my Root CA Server ... ... certs are being issue and machine certs are not ... ... make sure that these certs automatically renew after 1 year on the DCs??? ...
(microsoft.public.security)
Re: SYSVOL GPOs re:copying
... If you create a test user account on each DC, does it successfully replicate to each of the other DCs? ... Stop FRS on each of the new DCs. ... open a command prompt and change directory into the GPMC scripts folder. ... The effort and/or risk in fixing this server seems to exceed the ...
(microsoft.public.win2000.active_directory)