Windows Server 2000/2003 Thread, I want to move my CA and decomision a server in Technical; Has anyone decommissioned a DC that is currently the CA authority?
I was hoping to bring a new member server ...
18th March 2009, 02:34 PM #1
I want to move my CA and decomision a server
Has anyone decommissioned a DC that is currently the CA authority?
I was hoping to bring a new member server up with the same name but running 2008 as our SQL Server, since the current box performs the same role.
And create a New Member server (probably a virtual one) to host the CA (as it looks like your not supposed to put a CA on a DC oops..)
It looks horribly complicated to move a CA off a DC, i get the impression that i have either rename the new CA as the same or ails it.
Has anyone been through this process?
i was also considering destroying and re-creating the CA but i guess this will have implications on any one who has EFS Certs?
Any advice would be gratefully received.
18th March 2009, 02:39 PM #2
I'm not sure I'd want to virtualise the CA, but i'm not too experienced on virtualisation (unfortunately), so maybe others will say there is nothing wrong with it.
As long as the FSMO roles are assigned to active servers you shouldn't have a problem.
Having the CA on the DC shouldn't cause an issue - it's just one of those pieces of advice that sometimes (often) get ignored in the real world.
18th March 2009, 02:46 PM #3
18th March 2009, 03:09 PM #4
that's one of the Docs I read...
but does state that the Server must have the same name as the previous CA Server.
which kinda may not be possible, as I wanted to keep the previous server name for the SQL to save a lot of re config on Sharepoint etc...
The Other issue is that according to the Docs to go 2003 -> 2008 you need to do an inplace upgrade either before you move the CA on original server or after you move the CA on the new Server. to complicate it some more the 2k3 is 32-bit and the new DB server will be 2K8x64
i was hoping to move the CA to a virtual 32 bit 2k3 server with a new Name and leave the DB Server with the original name and just being a DB server...
Just wondering if any has ever moved there CA before ?
18th March 2009, 03:20 PM #5
The server needs to be the same name as any certificates are signed using that server name, so all the certificates would be invalid if you changed it's name.
Depending on the number of certificates and devices using the certificates, it may actually be easier to use a different name for the SQL server.
18th March 2009, 03:25 PM #6
I'm begining to think this too..
I might bite the bullet and rebuild my MOSS farm.. can't believe you can't just point it to another DB server lol!!!!
So the Next question is... if I keep the CA as SERVERX is it ok for it just to be a member server in the future as it is currently a DC?
18th March 2009, 03:28 PM #7
Yes it's fine. Our certificate server was a DC that has been demoted and now virtualised without problems.
Thanks to teejay from:
k-strider (18th March 2009)
18th March 2009, 04:57 PM #8
TeeJay did you do this bascially?
Backup Cert as per ms guidelines
REmove CA Services
Demote the DC
?Destroy original SErver
?Make new Virtual Server
?Virtualizes the existing demoted server
Reinstall Certificate Services.
By Rozzer in forum Windows
Last Post: 15th October 2008, 03:15 PM
By RabbieBurns in forum *nix
Last Post: 20th June 2008, 05:48 PM
By Sunshine in forum Scripts
Last Post: 8th March 2008, 02:18 PM
By Uraken in forum Wireless Networks
Last Post: 21st January 2008, 11:33 AM
By Oops_my_bad in forum MIS Systems
Last Post: 4th June 2007, 12:49 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)