| Author |
Message |
Jon
Guest
|
 Posted:
Fri Jan 07, 2005 3:11 am Post subject:
Move Ent. Certificate Authority from DC and keep certs |
|
|
Is it possible to move an AD integrated CA installed on a DC to another
computer (AD DC or otherwise?).
Our requirement is to demote an old DC with Enterprise CA installed and
rebuild the hardware for different production server roles.
The only Articles I have been able to locate are:
ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
ID 298138 - Move a CA to another server (Windows 2000, Stand-alone)
ID 555012 - How to move a CA to a new [DC] (this article is written very
poorly and requires three computers to accomplish).
Much searching of newsgroups and such have not netted any positive results
yet.
We have tried using VSMT but have not been successful yet. Failing this, we
may have to demote the CA server and likely revoke all active certs and issue
new ones on the new Ent CA. This will cause inturruption of active services
that use certs for secure (tunnelled, authenticated) communciations, which
could impact many users, therefore we would like to avoid that.
Moving the EntCA is a last resort option, but I want to research it before
we potentially have to use it. Any ideas, feedback, or experience you can
share would be helpful.
--
-Jon |
|
| Back to top |
|
 |
Bob Qin [MSFT]
Guest
|
| Posted:
Fri Jan 07, 2005 1:26 pm Post subject:
RE: Move Ent. Certificate Authority from DC and keep certs |
|
|
Hi Jon,
Thanks for your posting here.
To move a CA from a DC to another DC, you can refer to the article of
298138.
HOW TO: Move a Certification Authority to Another Server
http://support.microsoft.com/?id=298138
It also apply to Domain Controller.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Subject: Move Ent. Certificate Authority from DC and keep certs
Date: Thu, 6 Jan 2005 13:11:01 -0800
Newsgroups: microsoft.public.windows.server.migration
Is it possible to move an AD integrated CA installed on a DC to
another
computer (AD DC or otherwise?).
Our requirement is to demote an old DC with Enterprise CA installed
and
rebuild the hardware for different production server roles.
The only Articles I have been able to locate are:
ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
ID 298138 - Move a CA to another server (Windows 2000, Stand-alone)
ID 555012 - How to move a CA to a new [DC] (this article is written
very
poorly and requires three computers to accomplish).
Much searching of newsgroups and such have not netted any positive
results
yet.
We have tried using VSMT but have not been successful yet. Failing
this, we
may have to demote the CA server and likely revoke all active certs
and issue
new ones on the new Ent CA. This will cause inturruption of active
services
that use certs for secure (tunnelled, authenticated) communciations,
which
could impact many users, therefore we would like to avoid that.
Moving the EntCA is a last resort option, but I want to research it
before
we potentially have to use it. Any ideas, feedback, or experience you
can
share would be helpful.
--
-Jon |
|
| Back to top |
|
|
Jon
Guest
|
| Posted:
Sun Jan 09, 2005 11:07 am Post subject:
RE: Move Ent. Certificate Authority from DC and keep certs |
|
|
Thanks for the reply Bob,
It's good to know that this procedure applies to DCs as well - I didn't
catch that.
However, it does state that the computer name must be the same for the new
CA as the old. Is there any other way around this?
I did not clearly state in my last post that we have two DCs in this forest.
DC1 and DC2. DC1 is the CA and is slated for demotion (or virtualization if
we can get it to succeed). DC2 holds most of the FSMO roles except
Infrastucture and Schema, so it is more 'active' in the domain/forest. If we
back up DC1's CA in preparation to move it to DC2 (or another DC), then it
sounds like we will need to demote DC1 before taking it offline and bringing
a new DC1 (same computername) online to restore the CA to.
With that in mind, how will the AD objects handle a new computer with the
same name as the old CA? Are the CA objects in AD associated with the
computer account for the CA (e.g. SID) ?
Any insights greatly appreciated!
"Bob Qin [MSFT]" wrote:
| Quote: | Hi Jon,
Thanks for your posting here.
To move a CA from a DC to another DC, you can refer to the article of
298138.
HOW TO: Move a Certification Authority to Another Server
http://support.microsoft.com/?id=298138
It also apply to Domain Controller.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Subject: Move Ent. Certificate Authority from DC and keep certs
Date: Thu, 6 Jan 2005 13:11:01 -0800
Newsgroups: microsoft.public.windows.server.migration
Is it possible to move an AD integrated CA installed on a DC to
another
computer (AD DC or otherwise?).
Our requirement is to demote an old DC with Enterprise CA installed
and
rebuild the hardware for different production server roles.
The only Articles I have been able to locate are:
ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
ID 298138 - Move a CA to another server (Windows 2000, Stand-alone)
ID 555012 - How to move a CA to a new [DC] (this article is written
very
poorly and requires three computers to accomplish).
Much searching of newsgroups and such have not netted any positive
results
yet.
We have tried using VSMT but have not been successful yet. Failing
this, we
may have to demote the CA server and likely revoke all active certs
and issue
new ones on the new Ent CA. This will cause inturruption of active
services
that use certs for secure (tunnelled, authenticated) communciations,
which
could impact many users, therefore we would like to avoid that.
Moving the EntCA is a last resort option, but I want to research it
before
we potentially have to use it. Any ideas, feedback, or experience you
can
share would be helpful.
--
-Jon
|
|
|
| Back to top |
|
|
Bob Qin [MSFT]
Guest
|
| Posted:
Mon Jan 10, 2005 4:59 pm Post subject:
RE: Move Ent. Certificate Authority from DC and keep certs |
|
|
Hi Jon,
Thanks for your update.
After you backup CA and demote the DC1, you can move it to workgroup and
offline it. Please make sure that computer account is removed from ADUC.
Then you can install a new server with same name and promote it to be a DC.
At last, import the CA data on the new DC. It will act as the original CA
server.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?Sm9u?= <Jon@discussions.microsoft.com>
Subject: RE: Move Ent. Certificate Authority from DC and keep certs
Date: Sat, 8 Jan 2005 21:07:01 -0800
Newsgroups: microsoft.public.windows.server.migration
Thanks for the reply Bob,
It's good to know that this procedure applies to DCs as well - I
didn't
catch that.
However, it does state that the computer name must be the same for
the new
CA as the old. Is there any other way around this?
I did not clearly state in my last post that we have two DCs in this
forest.
DC1 and DC2. DC1 is the CA and is slated for demotion (or
virtualization if
we can get it to succeed). DC2 holds most of the FSMO roles except
Infrastucture and Schema, so it is more 'active' in the
domain/forest. If we
back up DC1's CA in preparation to move it to DC2 (or another DC),
then it
sounds like we will need to demote DC1 before taking it offline and
bringing
a new DC1 (same computername) online to restore the CA to.
With that in mind, how will the AD objects handle a new computer with
the
same name as the old CA? Are the CA objects in AD associated with the
computer account for the CA (e.g. SID) ?
Any insights greatly appreciated!
"Bob Qin [MSFT]" wrote:
| Quote: | Hi Jon,
Thanks for your posting here.
To move a CA from a DC to another DC, you can refer to the article
of
298138.
HOW TO: Move a Certification Authority to Another Server
http://support.microsoft.com/?id=298138
It also apply to Domain Controller.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your
newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Subject: Move Ent. Certificate Authority from DC and keep
certs
Date: Thu, 6 Jan 2005 13:11:01 -0800
Newsgroups: microsoft.public.windows.server.migration
Is it possible to move an AD integrated CA installed on a DC
to
another
computer (AD DC or otherwise?).
Our requirement is to demote an old DC with Enterprise CA
installed
and
rebuild the hardware for different production server roles.
The only Articles I have been able to locate are:
ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
ID 298138 - Move a CA to another server (Windows 2000,
Stand-alone)
ID 555012 - How to move a CA to a new [DC] (this article is
written
very
poorly and requires three computers to accomplish).
Much searching of newsgroups and such have not netted any
positive
results
yet.
We have tried using VSMT but have not been successful yet.
Failing
this, we
may have to demote the CA server and likely revoke all active
certs
and issue
new ones on the new Ent CA. This will cause inturruption of
active
services
that use certs for secure (tunnelled, authenticated)
communciations,
which
could impact many users, therefore we would like to avoid
that.
Moving the EntCA is a last resort option, but I want to
research it
before
we potentially have to use it. Any ideas, feedback, or
experience you
can
share would be helpful.
--
-Jon
|
|
|
| Back to top |
|
|
jjhols
Guest
|
| Posted:
Mon Jan 10, 2005 9:23 pm Post subject:
RE: Move Ent. Certificate Authority from DC and keep certs |
|
|
Jon I am working on the same process and ran across an issue with KBA298138
that will be resolved in Server 2003 SP1 which won't be released until March.
Do a search for my post called Enterprise CA Move within
windows.server.migration.
"Jon" wrote:
| Quote: | Thanks for the reply Bob,
It's good to know that this procedure applies to DCs as well - I didn't
catch that.
However, it does state that the computer name must be the same for the new
CA as the old. Is there any other way around this?
I did not clearly state in my last post that we have two DCs in this forest.
DC1 and DC2. DC1 is the CA and is slated for demotion (or virtualization if
we can get it to succeed). DC2 holds most of the FSMO roles except
Infrastucture and Schema, so it is more 'active' in the domain/forest. If we
back up DC1's CA in preparation to move it to DC2 (or another DC), then it
sounds like we will need to demote DC1 before taking it offline and bringing
a new DC1 (same computername) online to restore the CA to.
With that in mind, how will the AD objects handle a new computer with the
same name as the old CA? Are the CA objects in AD associated with the
computer account for the CA (e.g. SID) ?
Any insights greatly appreciated!
"Bob Qin [MSFT]" wrote:
Hi Jon,
Thanks for your posting here.
To move a CA from a DC to another DC, you can refer to the article of
298138.
HOW TO: Move a Certification Authority to Another Server
http://support.microsoft.com/?id=298138
It also apply to Domain Controller.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Subject: Move Ent. Certificate Authority from DC and keep certs
Date: Thu, 6 Jan 2005 13:11:01 -0800
Newsgroups: microsoft.public.windows.server.migration
Is it possible to move an AD integrated CA installed on a DC to
another
computer (AD DC or otherwise?).
Our requirement is to demote an old DC with Enterprise CA installed
and
rebuild the hardware for different production server roles.
The only Articles I have been able to locate are:
ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
ID 298138 - Move a CA to another server (Windows 2000, Stand-alone)
ID 555012 - How to move a CA to a new [DC] (this article is written
very
poorly and requires three computers to accomplish).
Much searching of newsgroups and such have not netted any positive
results
yet.
We have tried using VSMT but have not been successful yet. Failing
this, we
may have to demote the CA server and likely revoke all active certs
and issue
new ones on the new Ent CA. This will cause inturruption of active
services
that use certs for secure (tunnelled, authenticated) communciations,
which
could impact many users, therefore we would like to avoid that.
Moving the EntCA is a last resort option, but I want to research it
before
we potentially have to use it. Any ideas, feedback, or experience you
can
share would be helpful.
--
-Jon
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in