RE: [ActiveDir] Moving a Certificate Authority

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

How about a P to V process to move the physical server to a virtual server…. Then perform the upgrade.  When I hear “Slow”, I assume you are concerned about the hardware.   The idea is to keep the original server and just turn it off once you P to V it.  Of course you need a Virtualization solution and a P2V solution. Personally I am a fan of rebuilding from scratch and keeping the same name.  I haven’t done a CA upgrade to 2003, but most Microsoft network services run JET.  In my experiences with JET services, you can install the new service, stop it, delete the new database, then just copy the older formatted database to the same location, then start the database… When the service initially runs, it will convert the old database to the new format. From what I read about below. I am not sure what the impact would be with the templates, and registry settings though.  If this makes no sense… it is because I haven’t had my coffee. Todd From: Kevin Brunson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority   The other advantage to doing it this way, now that I think about it, is a little clearer recovery path if everything blows up.  A system state restore on your old ca and an authoritative restore on AD should (please everyone check me on this) get you back where you were without having to reload the original un-upgraded OS on your original CA.   Kevin Brunson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 11, 2006 8:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority   Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3?  That way you don’t have to worry about the hardware not supporting 2003 or something terrible like that.  Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is.  Kevin Brunson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 11, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority   And will it ever be a slooooooow 2k3 machine indeed.  After continuing to do some reading and researching, it does appear that my only option is to… 1)    Upgrade the old DC to 2k3 2)    Backup the CA and the registry key as stated in the KB298138 article. 3)    Remove the CA services, demote server and rename it. 4)    Promote a 2k3 server with the same name as the old DC and install the CA services. 5)    Restore the CA data and registry key 6)    Cross my fingers and hope that I have a CA once again I’ll give this a shot tomorrow.  I just wonder what would be my backup plan should the CA restoration fail on the new server?  The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority   You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloooooooooow 2k3 machine?   You should keep the hostname the same - if you took the defaults  for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth.   my .02   steve ----- Original Message ----- From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority   As part of my on-going journey into upgrading a 2000 domain to 2003, I’ve run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then don’t pan out.  Here is the situation… I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native.  However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted.  It was originally a Windows NT 4.0 domain controller back in the day.  So I am in a situation where I need to take a Certificate Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 Server. As stated before, one KB article seemed to be the most promising KB298138.  However the instructions seem to be focused on moving a CA from a 2000 server to a 2000 server, or a 2003 server to a 2003 server. Is anyone familiar with the process of moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of moving the CA to a server with a different hostname than the original CA? Thanks, ~Ben