CA Move

I have an old Windows 2000 Server that is a domain controller. I want to
demote this server and rebuild it to be an archiving location. The only
piece of software that I need to move off of it yet is the CA. Other than
that it is just operating as a backup DC. I have many options on where to
move it to, I was just wondering what would be the best choice. We have two
other Win2000 servers, three Win2003 servers, and one Win2008 server. Which
one would be recommended? Also, would it be wise to move the CA to another
DC or would it be better to move it to a member server instead?

1. Use Win 2008. Certificate services are greatly improved in Win 20078 and
later. OCSP is one improvement.

2. Use it on a member server. Best paractice recommends using offline root
CA's. If such CA is on a DC, the DC would have problems maintaining synch
with other DC's.



"Zachary" <> wrote in message
news:...
> I have an old Windows 2000 Server that is a domain controller. I want to
> demote this server and rebuild it to be an archiving location. The only
> piece of software that I need to move off of it yet is the CA. Other than
> that it is just operating as a backup DC. I have many options on where to
> move it to, I was just wondering what would be the best choice. We have
> two other Win2000 servers, three Win2003 servers, and one Win2008 server.
> Which one would be recommended? Also, would it be wise to move the CA to
> another DC or would it be better to move it to a member server instead?
>
>

Thanks for the advice, I will follow that but I still have one question, can
I have two servers acting as the Enterprise Root CA's in the same domain?



I would like to run both the server 2008 and the server 2000 CA's side by
side till all the certs expire on the 2000 machine and get new certs from
the 2008 machine.


"Dusko Savatovic" <> wrote in message
news:7A184AF6-1B89-4526-9A82-...
> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
> and later. OCSP is one improvement.
>
> 2. Use it on a member server. Best paractice recommends using offline root
> CA's. If such CA is on a DC, the DC would have problems maintaining synch
> with other DC's.
>
>
>
> "Zachary" <> wrote in message
> news:...
>> I have an old Windows 2000 Server that is a domain controller. I want to
>> demote this server and rebuild it to be an archiving location. The only
>> piece of software that I need to move off of it yet is the CA. Other
>> than that it is just operating as a backup DC. I have many options on
>> where to move it to, I was just wondering what would be the best choice.
>> We have two other Win2000 servers, three Win2003 servers, and one Win2008
>> server. Which one would be recommended? Also, would it be wise to move
>> the CA to another DC or would it be better to move it to a member server
>> instead?
>>
>>

I can recommend a book
Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
Chapter 7: Upgrading your existing Microsoft PKI.

But the whole book is a great reference for PKI planning, deployment and
operation.

Good luck
DuskoS


"Zachary" <> wrote in message
news:...
> Thanks for the advice, I will follow that but I still have one question,
> can I have two servers acting as the Enterprise Root CA's in the same
> domain?
>
>
>
> I would like to run both the server 2008 and the server 2000 CA's side by
> side till all the certs expire on the 2000 machine and get new certs from
> the 2008 machine.
>
>
> "Dusko Savatovic" <> wrote in message
> news:7A184AF6-1B89-4526-9A82-...
>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>> and later. OCSP is one improvement.
>>
>> 2. Use it on a member server. Best paractice recommends using offline
>> root CA's. If such CA is on a DC, the DC would have problems maintaining
>> synch with other DC's.
>>
>>
>>
>> "Zachary" <> wrote in message
>> news:...
>>> I have an old Windows 2000 Server that is a domain controller. I want
>>> to demote this server and rebuild it to be an archiving location. The
>>> only piece of software that I need to move off of it yet is the CA.
>>> Other than that it is just operating as a backup DC. I have many
>>> options on where to move it to, I was just wondering what would be the
>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>> and one Win2008 server. Which one would be recommended? Also, would it
>>> be wise to move the CA to another DC or would it be better to move it to
>>> a member server instead?
>>>
>>>
>
>

Excerpt from the book about enterprise root CA's:

<quote>
If you choose single-tier CA hierarchy deployment model (meaning one CA),
ensure that you deploy single enterprise root. Do not start deploying
enterprise root CA's for each application that requires certificates.
Deploying CA's in this manner typically leads to failed PKI deployments.
</quote>

There is also an older KB article
http://support.microsoft.com/kb/298138
"How to move a certification authority to another server",
but this info is for Win 2000 and 2003



"Dusko Savatovic" <> wrote in message
news:...
> I can recommend a book
> Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
> Chapter 7: Upgrading your existing Microsoft PKI.
>
> But the whole book is a great reference for PKI planning, deployment and
> operation.
>
> Good luck
> DuskoS
>
>
> "Zachary" <> wrote in message
> news:...
>> Thanks for the advice, I will follow that but I still have one question,
>> can I have two servers acting as the Enterprise Root CA's in the same
>> domain?
>>
>>
>>
>> I would like to run both the server 2008 and the server 2000 CA's side by
>> side till all the certs expire on the 2000 machine and get new certs from
>> the 2008 machine.
>>
>>
>> "Dusko Savatovic" <> wrote in message
>> news:7A184AF6-1B89-4526-9A82-...
>>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>>> and later. OCSP is one improvement.
>>>
>>> 2. Use it on a member server. Best paractice recommends using offline
>>> root CA's. If such CA is on a DC, the DC would have problems maintaining
>>> synch with other DC's.
>>>
>>>
>>>
>>> "Zachary" <> wrote in message
>>> news:...
>>>> I have an old Windows 2000 Server that is a domain controller. I want
>>>> to demote this server and rebuild it to be an archiving location. The
>>>> only piece of software that I need to move off of it yet is the CA.
>>>> Other than that it is just operating as a backup DC. I have many
>>>> options on where to move it to, I was just wondering what would be the
>>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>>> and one Win2008 server. Which one would be recommended? Also, would it
>>>> be wise to move the CA to another DC or would it be better to move it
>>>> to a member server instead?
>>>>
>>>>
>>
>>

Another blog entry might be usefull.
http://www.scottfeltmann.com/index.p...-w2k3-to-w2k8/



"Dusko Savatovic" <> wrote in message
news:#...
> Excerpt from the book about enterprise root CA's:
>
> <quote>
> If you choose single-tier CA hierarchy deployment model (meaning one CA),
> ensure that you deploy single enterprise root. Do not start deploying
> enterprise root CA's for each application that requires certificates.
> Deploying CA's in this manner typically leads to failed PKI deployments.
> </quote>
>
> There is also an older KB article
> http://support.microsoft.com/kb/298138
> "How to move a certification authority to another server",
> but this info is for Win 2000 and 2003
>
>
>
> "Dusko Savatovic" <> wrote in message
> news:...
>> I can recommend a book
>> Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
>> Chapter 7: Upgrading your existing Microsoft PKI.
>>
>> But the whole book is a great reference for PKI planning, deployment and
>> operation.
>>
>> Good luck
>> DuskoS
>>
>>
>> "Zachary" <> wrote in message
>> news:...
>>> Thanks for the advice, I will follow that but I still have one question,
>>> can I have two servers acting as the Enterprise Root CA's in the same
>>> domain?
>>>
>>>
>>>
>>> I would like to run both the server 2008 and the server 2000 CA's side
>>> by side till all the certs expire on the 2000 machine and get new certs
>>> from the 2008 machine.
>>>
>>>
>>> "Dusko Savatovic" <> wrote in message
>>> news:7A184AF6-1B89-4526-9A82-...
>>>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>>>> and later. OCSP is one improvement.
>>>>
>>>> 2. Use it on a member server. Best paractice recommends using offline
>>>> root CA's. If such CA is on a DC, the DC would have problems
>>>> maintaining synch with other DC's.
>>>>
>>>>
>>>>
>>>> "Zachary" <> wrote in message
>>>> news:...
>>>>> I have an old Windows 2000 Server that is a domain controller. I want
>>>>> to demote this server and rebuild it to be an archiving location. The
>>>>> only piece of software that I need to move off of it yet is the CA.
>>>>> Other than that it is just operating as a backup DC. I have many
>>>>> options on where to move it to, I was just wondering what would be the
>>>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>>>> and one Win2008 server. Which one would be recommended? Also, would
>>>>> it be wise to move the CA to another DC or would it be better to move
>>>>> it to a member server instead?
>>>>>
>>>>>
>>>
>>>