I have moved into a job where there are a number of old 2003 servers running as DCs. These need to be decommissioned.
I have some new 2008 servers that have been promoted to DC and have moved across the FSMO roles. I managed to demote a few servers but there are 3 which have certificate services installed. 2 of them are enterprise root CAs (on the same domain) and the other is an Enterprise Subordinate CA (on a child domain).
The 2 Enterprise root CA are still issuing certificate but 1 of them appear to have only issued 3 in the last 6 months. 2 to itself (domain controller cert template) and 1 to a user (Basic EFS).
The other enterprise root CA is still issuing certificate too, they are mostly computer certificates, 1 or 2 user ones and a number to itself as a domain controller.
The subordinate CA while it has Certificate services installed, it is not running as it would appear the CA certificate has expired and the service for CA will not start untill new CA certificate is renewed. I don't know how long it has not been running for or what certificates are issued.
Now I have been looking at the migration guides for certificate authorities from 2003 to 2008 on the microsoft site but they talk about changing the server names on the destination server to match the old one however I don't want to do this as the new servers are DCs already and I don't want to change their names.
Few questions regarding the existing servers, is it possible to have 2 enterprise root CAs on 1 domain? Why is one of them issuing only 3 certificates? Why do all the computers go to the other enterprise root CA?
Would I be best decommissioning the existing 2003 servers and CAs and then installing new ones on the 2008 DCs and starting fresh?
Thanks in advance.
Had this issue not long ago but as how you described your issue I had to domain controllers both 2003 active directory integrated and 2 2008 64bit servers how I did it was I installed the 2 2008 servers and moved over all services like dns and dhcp over to the new servers
I then turned both servers into domain controllers once everything was settled and I turned off all the services on the 2003 server that I didn’t need I switched off the server leaving 1 2003 server ( still acting as the primary holder for the domain) I moved all of the roles from 2003 server to the 2008 server
which regards to the CA i installed the feature on the 2008 dc and then i just did a backup of the 2003 ca and imported it into the 2008 server I myself was worried and because it was different architecture etc and thinking that it wouldn’t work and me getting over worked because they are so many different ways and different things that can or could go wrong so i just went with my gut and it works and then decommissioned the old 2003 server
There are currently 1 users browsing this thread. (0 members and 1 guests)