Windows Server 2008 R2 Thread, Migrating internal Certificate Authority to new server in Technical; I'm after some advice from anyone with experience of moving the Certificate Authority in Windows Server to a new server, ...
12th August 2010, 04:50 PM #1
Migrating internal Certificate Authority to new server
I'm after some advice from anyone with experience of moving the Certificate Authority in Windows Server to a new server, as I'm about to do so on my network.
Right now I am most of the way through scrapping our RM CC3 system in favour of a vanilla Server 2008 R2/Windows 7 system. The time has almost come to switch off the last RM server; the last two things I need to do are to transfer the Operations Master role (which seems easy peasy) and the slightly more daunting task of moving the Certificate Authority.
I've read this quick guide as well as the not so quick Active Directory Certificate Services Migration Guide on TechNet, which frankly makes the process seem more complicated than finding the Higgs boson.
An alternate option I have seen proposed is to set up a new CA and run it in parallel with the old one while I switch all the machines that currently use certificates to the new CA. Given that 99% of the existing certificates are computer auto-enrolment certificates, this doesn't seem like a bad idea.
Has anyone here done this before and can offer any words of wisdom?
Last edited by AngryTechnician; 12th August 2010 at 04:56 PM.
12th August 2010, 04:57 PM #2
I'm planning to nuke ours from orbit and rebuild/reimport existing certs into AD as trusted as a stopgap. It's on a DC that's also being decommissioned which makes it doubly annoying to work on. I also read those while I was researching and concluded it would be faster for me to just rebuild from scratch.
However, our only certs are for Wireless Auth, Radius for a couple of things and a handful of internal certs for things like EFS decryption. If you're using user certs as well, that may not be an option.
12th August 2010, 05:03 PM #3
I think mine is used for even less than yours, since we have no wireless at present. Aside from a couple of internal web server and DC certificates, I don't think the computer certificates are even used for anything.
12th August 2010, 05:11 PM #4
Having just setup a new CA (rather than reuse the existing one that I'd previously setup) for our SCCM install (gahhh!) I'd say that it's probably just easier to setup a new CA and issue new certificates manually for the few that may need that
13th August 2010, 01:41 PM #5
Well, I've decided to go down the new CA route; have installed a new Enterprise CA into Active Directory this morning and am now going through removing computer certificates on the servers and allowing them to pick up a new one via auto-enrolment. Seems to be going fairly smoothly so far...
By Vstar in forum Windows Server 2000/2003
Last Post: 20th May 2010, 04:05 PM
By chazzy2501 in forum Windows Server 2000/2003
Last Post: 28th April 2010, 05:35 PM
By Michael_84 in forum Windows Server 2000/2003
Last Post: 13th August 2009, 12:36 AM
By PrimaryTech in forum Windows
Last Post: 2nd October 2007, 09:02 AM
Last Post: 15th October 2006, 01:57 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)