Re: [ActiveDir] Moving a Certificate Authority

Tue, 11 Jul 2006 15:19:50 -0700

You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloooooooooow 2k3 machine?
 
You should keep the hostname the same - if you took the defaults  for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth.
 
my .02
 
steve
----- Original Message -----
Sent: Tuesday, July 11, 2006 3:08 PM
Subject: [ActiveDir] Moving a Certificate Authority

As part of my on-going journey into upgrading a 2000 domain to 2003, I’ve run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller.

I have found a couple KB articles that seem to put me down a good path, but then don’t pan out.  Here is the situation…

I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native.  However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted.  It was originally a Windows NT 4.0 domain controller back in the day.  So I am in a situation where I need to take a Certificate Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to be the most promising KB298138.  However the instructions seem to be focused on moving a CA from a 2000 server to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

Reply via email to