Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Server Security > CA Move

Reply
 
 
Zachary
Guest
Posts: n/a

 
      03-24-2010
I have an old Windows 2000 Server that is a domain controller. I want to
demote this server and rebuild it to be an archiving location. The only
piece of software that I need to move off of it yet is the CA. Other than
that it is just operating as a backup DC. I have many options on where to
move it to, I was just wondering what would be the best choice. We have two
other Win2000 servers, three Win2003 servers, and one Win2008 server. Which
one would be recommended? Also, would it be wise to move the CA to another
DC or would it be better to move it to a member server instead?


 
Reply With Quote
 
 
 
 
Dusko Savatovic
Guest
Posts: n/a

 
      03-24-2010
1. Use Win 2008. Certificate services are greatly improved in Win 20078 and
later. OCSP is one improvement.

2. Use it on a member server. Best paractice recommends using offline root
CA's. If such CA is on a DC, the DC would have problems maintaining synch
with other DC's.



"Zachary" <> wrote in message
news:...
> I have an old Windows 2000 Server that is a domain controller. I want to
> demote this server and rebuild it to be an archiving location. The only
> piece of software that I need to move off of it yet is the CA. Other than
> that it is just operating as a backup DC. I have many options on where to
> move it to, I was just wondering what would be the best choice. We have
> two other Win2000 servers, three Win2003 servers, and one Win2008 server.
> Which one would be recommended? Also, would it be wise to move the CA to
> another DC or would it be better to move it to a member server instead?
>
>

 
Reply With Quote
 
 
 
 
Zachary
Guest
Posts: n/a

 
      03-24-2010
Thanks for the advice, I will follow that but I still have one question, can
I have two servers acting as the Enterprise Root CA's in the same domain?



I would like to run both the server 2008 and the server 2000 CA's side by
side till all the certs expire on the 2000 machine and get new certs from
the 2008 machine.


"Dusko Savatovic" <> wrote in message
news:7A184AF6-1B89-4526-9A82-...
> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
> and later. OCSP is one improvement.
>
> 2. Use it on a member server. Best paractice recommends using offline root
> CA's. If such CA is on a DC, the DC would have problems maintaining synch
> with other DC's.
>
>
>
> "Zachary" <> wrote in message
> news:...
>> I have an old Windows 2000 Server that is a domain controller. I want to
>> demote this server and rebuild it to be an archiving location. The only
>> piece of software that I need to move off of it yet is the CA. Other
>> than that it is just operating as a backup DC. I have many options on
>> where to move it to, I was just wondering what would be the best choice.
>> We have two other Win2000 servers, three Win2003 servers, and one Win2008
>> server. Which one would be recommended? Also, would it be wise to move
>> the CA to another DC or would it be better to move it to a member server
>> instead?
>>
>>



 
Reply With Quote
 
Dusko Savatovic
Guest
Posts: n/a

 
      03-24-2010
I can recommend a book
Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
Chapter 7: Upgrading your existing Microsoft PKI.

But the whole book is a great reference for PKI planning, deployment and
operation.

Good luck
DuskoS


"Zachary" <> wrote in message
news:...
> Thanks for the advice, I will follow that but I still have one question,
> can I have two servers acting as the Enterprise Root CA's in the same
> domain?
>
>
>
> I would like to run both the server 2008 and the server 2000 CA's side by
> side till all the certs expire on the 2000 machine and get new certs from
> the 2008 machine.
>
>
> "Dusko Savatovic" <> wrote in message
> news:7A184AF6-1B89-4526-9A82-...
>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>> and later. OCSP is one improvement.
>>
>> 2. Use it on a member server. Best paractice recommends using offline
>> root CA's. If such CA is on a DC, the DC would have problems maintaining
>> synch with other DC's.
>>
>>
>>
>> "Zachary" <> wrote in message
>> news:...
>>> I have an old Windows 2000 Server that is a domain controller. I want
>>> to demote this server and rebuild it to be an archiving location. The
>>> only piece of software that I need to move off of it yet is the CA.
>>> Other than that it is just operating as a backup DC. I have many
>>> options on where to move it to, I was just wondering what would be the
>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>> and one Win2008 server. Which one would be recommended? Also, would it
>>> be wise to move the CA to another DC or would it be better to move it to
>>> a member server instead?
>>>
>>>

>
>

 
Reply With Quote
 
Dusko Savatovic
Guest
Posts: n/a

 
      03-24-2010
Excerpt from the book about enterprise root CA's:

<quote>
If you choose single-tier CA hierarchy deployment model (meaning one CA),
ensure that you deploy single enterprise root. Do not start deploying
enterprise root CA's for each application that requires certificates.
Deploying CA's in this manner typically leads to failed PKI deployments.
</quote>

There is also an older KB article
http://support.microsoft.com/kb/298138
"How to move a certification authority to another server",
but this info is for Win 2000 and 2003



"Dusko Savatovic" <> wrote in message
news:...
> I can recommend a book
> Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
> Chapter 7: Upgrading your existing Microsoft PKI.
>
> But the whole book is a great reference for PKI planning, deployment and
> operation.
>
> Good luck
> DuskoS
>
>
> "Zachary" <> wrote in message
> news:...
>> Thanks for the advice, I will follow that but I still have one question,
>> can I have two servers acting as the Enterprise Root CA's in the same
>> domain?
>>
>>
>>
>> I would like to run both the server 2008 and the server 2000 CA's side by
>> side till all the certs expire on the 2000 machine and get new certs from
>> the 2008 machine.
>>
>>
>> "Dusko Savatovic" <> wrote in message
>> news:7A184AF6-1B89-4526-9A82-...
>>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>>> and later. OCSP is one improvement.
>>>
>>> 2. Use it on a member server. Best paractice recommends using offline
>>> root CA's. If such CA is on a DC, the DC would have problems maintaining
>>> synch with other DC's.
>>>
>>>
>>>
>>> "Zachary" <> wrote in message
>>> news:...
>>>> I have an old Windows 2000 Server that is a domain controller. I want
>>>> to demote this server and rebuild it to be an archiving location. The
>>>> only piece of software that I need to move off of it yet is the CA.
>>>> Other than that it is just operating as a backup DC. I have many
>>>> options on where to move it to, I was just wondering what would be the
>>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>>> and one Win2008 server. Which one would be recommended? Also, would it
>>>> be wise to move the CA to another DC or would it be better to move it
>>>> to a member server instead?
>>>>
>>>>

>>
>>

 
Reply With Quote
 
Dusko Savatovic
Guest
Posts: n/a

 
      03-24-2010

Another blog entry might be usefull.
http://www.scottfeltmann.com/index.p...-w2k3-to-w2k8/



"Dusko Savatovic" <> wrote in message
news:#...
> Excerpt from the book about enterprise root CA's:
>
> <quote>
> If you choose single-tier CA hierarchy deployment model (meaning one CA),
> ensure that you deploy single enterprise root. Do not start deploying
> enterprise root CA's for each application that requires certificates.
> Deploying CA's in this manner typically leads to failed PKI deployments.
> </quote>
>
> There is also an older KB article
> http://support.microsoft.com/kb/298138
> "How to move a certification authority to another server",
> but this info is for Win 2000 and 2003
>
>
>
> "Dusko Savatovic" <> wrote in message
> news:...
>> I can recommend a book
>> Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
>> Chapter 7: Upgrading your existing Microsoft PKI.
>>
>> But the whole book is a great reference for PKI planning, deployment and
>> operation.
>>
>> Good luck
>> DuskoS
>>
>>
>> "Zachary" <> wrote in message
>> news:...
>>> Thanks for the advice, I will follow that but I still have one question,
>>> can I have two servers acting as the Enterprise Root CA's in the same
>>> domain?
>>>
>>>
>>>
>>> I would like to run both the server 2008 and the server 2000 CA's side
>>> by side till all the certs expire on the 2000 machine and get new certs
>>> from the 2008 machine.
>>>
>>>
>>> "Dusko Savatovic" <> wrote in message
>>> news:7A184AF6-1B89-4526-9A82-...
>>>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>>>> and later. OCSP is one improvement.
>>>>
>>>> 2. Use it on a member server. Best paractice recommends using offline
>>>> root CA's. If such CA is on a DC, the DC would have problems
>>>> maintaining synch with other DC's.
>>>>
>>>>
>>>>
>>>> "Zachary" <> wrote in message
>>>> news:...
>>>>> I have an old Windows 2000 Server that is a domain controller. I want
>>>>> to demote this server and rebuild it to be an archiving location. The
>>>>> only piece of software that I need to move off of it yet is the CA.
>>>>> Other than that it is just operating as a backup DC. I have many
>>>>> options on where to move it to, I was just wondering what would be the
>>>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>>>> and one Win2008 server. Which one would be recommended? Also, would
>>>>> it be wise to move the CA to another DC or would it be better to move
>>>>> it to a member server instead?
>>>>>
>>>>>
>>>
>>>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When is a Move not a Move? Duncs Windows Vista General Discussion 13 04-12-2009 08:45 PM
Move Public Folder- 'Move' option not listed klaissgl Windows Vista File Management 3 07-29-2008 05:39 AM
Re: move up move down Tom De Keukelaere Windows MSN Messenger 2 06-18-2005 03:54 PM
the 'move up' and 'move down' feature arrows. gumperman Windows Media Player 0 03-08-2005 07:51 PM
WMP 10-What Happened to Move UP and Move Down? Lorraine W Windows Media Player 4 10-26-2004 10:56 PM