I want to move my CA and decomision a server

[k-strider]

Has anyone decommissioned a DC that is currently the CA authority?

I was hoping to bring a new member server up with the same name but running 2008 as our SQL Server, since the current box performs the same role.

And create a New Member server (probably a virtual one) to host the CA (as it looks like your not supposed to put a CA on a DC oops..)


It looks horribly complicated to move a CA off a DC, i get the impression that i have either rename the new CA as the same or ails it.

Has anyone been through this process?

i was also considering destroying and re-creating the CA but i guess this will have implications on any one who has EFS Certs?

Any advice would be gratefully received.

[mb2k01]

I'm not sure I'd want to virtualise the CA, but i'm not too experienced on virtualisation (unfortunately), so maybe others will say there is nothing wrong with it.

As long as the FSMO roles are assigned to active servers you shouldn't have a problem.
Having the CA on the DC shouldn't cause an issue - it's just one of those pieces of advice that sometimes (often) get ignored in the real world.

[jamesb]

Is this the sort of thing you're looking for: How to move a certification authority to another server ?

[k-strider]

that's one of the Docs I read...

but does state that the Server must have the same name as the previous CA Server.

which kinda may not be possible, as I wanted to keep the previous server name for the SQL to save a lot of re config on Sharepoint etc...

The Other issue is that according to the Docs to go 2003 -> 2008 you need to do an inplace upgrade either before you move the CA on original server or after you move the CA on the new Server. to complicate it some more the 2k3 is 32-bit and the new DB server will be 2K8x64

i was hoping to move the CA to a virtual 32 bit 2k3 server with a new Name and leave the DB Server with the original name and just being a DB server...

Just wondering if any has ever moved there CA before ?

[teejay]

The server needs to be the same name as any certificates are signed using that server name, so all the certificates would be invalid if you changed it's name.
Depending on the number of certificates and devices using the certificates, it may actually be easier to use a different name for the SQL server.

[k-strider]

I'm begining to think this too..

I might bite the bullet and rebuild my MOSS farm.. can't believe you can't just point it to another DB server lol!!!!

So the Next question is... if I keep the CA as SERVERX is it ok for it just to be a member server in the future as it is currently a DC?

Gordon.

[teejay]

Yes it's fine. Our certificate server was a DC that has been demoted and now virtualised without problems.

[k-strider]

TeeJay did you do this bascially?

Backup Cert as per ms guidelines
REmove CA Services
Demote the DC
?Destroy original SErver
?Make new Virtual Server
or
?Virtualizes the existing demoted server
Reinstall Certificate Services.

Thanks Gordon.