The other advantage to doing it this way, now that I think about it, is
a little clearer recovery path if everything blows up. A system state
restore on your old ca and an authoritative restore on AD should (please
everyone check me on this) get you back where you were without having to
reload the original un-upgraded S on your original CA.
Kevin Brunson
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Kevin Brunson
Sent: Tuesday, July 11, 2006 8:48 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Moving a Certificate Authority
Have you thought about putting a new server (or an older one with good
hardware) in the mix as 2000, moving the CA to it, and then upgrading it
to 2k3? That way you don't have to worry about the hardware not
supporting 2003 or something terrible like that. Then if you want you
could move it from that 2003 server to another 2003 server, or you could
just leave it where it is.
Kevin Brunson
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf WATSN, BEN
Sent: Tuesday, July 11, 2006 6:05 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Moving a Certificate Authority
And will it ever be a slooooooow 2k3 machine indeed. After continuing
to do some reading and researching, it does appear that my only option
is to
1) Upgrade the old DC to 2k3
2) Backup the CA and the registry key as stated in the KB298138
article.
3) Remove the CA services, demote server and rename it.
4) Promote a 2k3 server with the same name as the old DC and install
the CA services.
5) Restore the CA data and registry key
6) Cross my fingers and hope that I have a CA once again
I'll give this a shot tomorrow. I just wonder what would be my backup
plan should the CA restoration fail on the new server? The old server
will have been demoted and removed from Active Directory along with the
CA services removed, not to mention a new server now has its name.
Thanks for your .02 Steve, it seems to be spot on.
~Ben
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf steve patrick
Sent: Tuesday, July 11, 2006 3:17 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Moving a Certificate Authority
You cannot move from 2000 to 2003 as the database has changed. You could
upgrade to 2k3 ( this would be temporary ) and then move to another 2k3
server. I know that you said that the HW was old - but perhaps a
temporary sloooooooooow 2k3 machine?
You should keep the hostname the same - if you took the defaults for
install ( 90% of CA's out there ) then you have paths in all of your
issued certs which hardcode to this server, not to mention the name is
also in AD as well as the CA web pages. Unless you have a very good
reason - it'd be best to keep it the same. I think that the article
doesnt mention moving to a new name, because it would vary from customer
to customer and cause more trouble then its worth.
my .02
steve
Message
From: WATSN, BEN <mailto:ben_watson (AT) appsig (DOT) com
To: ActiveDir (AT) mail (DOT) activedir.org
Sent: Tuesday, July 11, 2006 3:08 PM
Subject: [ActiveDir] Moving a Certificate Authority
As part of my on-going journey into upgrading a 2000 domain to
2003, I've run into the issue of moving the Certificate Authority on one
of the original domain controllers to a new Windows 2003 domain
controller.
I have found a couple KB articles that seem to put me down a
good path, but then don't pan out. Here is the situation
I am at the point in the domain upgrade process where I need to
eliminate the Windows 2000 Servers from the domain so I can raise the
functional level to 2003 native. However, the CA is currently on such
old hardware that an S upgrade to Windows 2003 from Windows 2000 is
simply not possible so it will need to be demoted. It was originally a
Windows NT 4.0 domain controller back in the day. So I am in a
situation where I need to take a Certificate Authority from a Windows
2000 Server, and transfer that over to a Windows 2003 Server.
As stated before, one KB article seemed to be the most promising
KB298138
<;en-us;298138.
However the instructions seem to be focused on moving a CA from a 2000
server to a 2000 server, or a 2003 server to a 2003 server.
Is anyone familiar with the process of moving a CA from a 2000
DC to a 2003 DC? Also, is there a possibility of moving the CA to a
server with a different hostname than the original CA?
Thanks,
~Ben