CA Move

Discussion in 'Server Security' started by Zachary, Mar 24, 2010.

  1. Zachary

    Zachary Guest

    I have an old Windows 2000 Server that is a domain controller. I want to
    demote this server and rebuild it to be an archiving location. The only
    piece of software that I need to move off of it yet is the CA. Other than
    that it is just operating as a backup DC. I have many options on where to
    move it to, I was just wondering what would be the best choice. We have two
    other Win2000 servers, three Win2003 servers, and one Win2008 server. Which
    one would be recommended? Also, would it be wise to move the CA to another
    DC or would it be better to move it to a member server instead?
     
    Zachary, Mar 24, 2010
    #1
    1. Advertising

  2. 1. Use Win 2008. Certificate services are greatly improved in Win 20078 and
    later. OCSP is one improvement.

    2. Use it on a member server. Best paractice recommends using offline root
    CA's. If such CA is on a DC, the DC would have problems maintaining synch
    with other DC's.



    "Zachary" <> wrote in message
    news:...
    > I have an old Windows 2000 Server that is a domain controller. I want to
    > demote this server and rebuild it to be an archiving location. The only
    > piece of software that I need to move off of it yet is the CA. Other than
    > that it is just operating as a backup DC. I have many options on where to
    > move it to, I was just wondering what would be the best choice. We have
    > two other Win2000 servers, three Win2003 servers, and one Win2008 server.
    > Which one would be recommended? Also, would it be wise to move the CA to
    > another DC or would it be better to move it to a member server instead?
    >
    >
     
    Dusko Savatovic, Mar 24, 2010
    #2
    1. Advertising

  3. Zachary

    Zachary Guest

    Thanks for the advice, I will follow that but I still have one question, can
    I have two servers acting as the Enterprise Root CA's in the same domain?



    I would like to run both the server 2008 and the server 2000 CA's side by
    side till all the certs expire on the 2000 machine and get new certs from
    the 2008 machine.


    "Dusko Savatovic" <> wrote in message
    news:...
    > 1. Use Win 2008. Certificate services are greatly improved in Win 20078
    > and later. OCSP is one improvement.
    >
    > 2. Use it on a member server. Best paractice recommends using offline root
    > CA's. If such CA is on a DC, the DC would have problems maintaining synch
    > with other DC's.
    >
    >
    >
    > "Zachary" <> wrote in message
    > news:...
    >> I have an old Windows 2000 Server that is a domain controller. I want to
    >> demote this server and rebuild it to be an archiving location. The only
    >> piece of software that I need to move off of it yet is the CA. Other
    >> than that it is just operating as a backup DC. I have many options on
    >> where to move it to, I was just wondering what would be the best choice.
    >> We have two other Win2000 servers, three Win2003 servers, and one Win2008
    >> server. Which one would be recommended? Also, would it be wise to move
    >> the CA to another DC or would it be better to move it to a member server
    >> instead?
    >>
    >>
     
    Zachary, Mar 24, 2010
    #3
  4. I can recommend a book
    Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
    Chapter 7: Upgrading your existing Microsoft PKI.

    But the whole book is a great reference for PKI planning, deployment and
    operation.

    Good luck
    DuskoS


    "Zachary" <> wrote in message
    news:...
    > Thanks for the advice, I will follow that but I still have one question,
    > can I have two servers acting as the Enterprise Root CA's in the same
    > domain?
    >
    >
    >
    > I would like to run both the server 2008 and the server 2000 CA's side by
    > side till all the certs expire on the 2000 machine and get new certs from
    > the 2008 machine.
    >
    >
    > "Dusko Savatovic" <> wrote in message
    > news:...
    >> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
    >> and later. OCSP is one improvement.
    >>
    >> 2. Use it on a member server. Best paractice recommends using offline
    >> root CA's. If such CA is on a DC, the DC would have problems maintaining
    >> synch with other DC's.
    >>
    >>
    >>
    >> "Zachary" <> wrote in message
    >> news:...
    >>> I have an old Windows 2000 Server that is a domain controller. I want
    >>> to demote this server and rebuild it to be an archiving location. The
    >>> only piece of software that I need to move off of it yet is the CA.
    >>> Other than that it is just operating as a backup DC. I have many
    >>> options on where to move it to, I was just wondering what would be the
    >>> best choice. We have two other Win2000 servers, three Win2003 servers,
    >>> and one Win2008 server. Which one would be recommended? Also, would it
    >>> be wise to move the CA to another DC or would it be better to move it to
    >>> a member server instead?
    >>>
    >>>

    >
    >
     
    Dusko Savatovic, Mar 24, 2010
    #4
  5. Excerpt from the book about enterprise root CA's:

    <quote>
    If you choose single-tier CA hierarchy deployment model (meaning one CA),
    ensure that you deploy single enterprise root. Do not start deploying
    enterprise root CA's for each application that requires certificates.
    Deploying CA's in this manner typically leads to failed PKI deployments.
    </quote>

    There is also an older KB article
    http://support.microsoft.com/kb/298138
    "How to move a certification authority to another server",
    but this info is for Win 2000 and 2003



    "Dusko Savatovic" <> wrote in message
    news:...
    > I can recommend a book
    > Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
    > Chapter 7: Upgrading your existing Microsoft PKI.
    >
    > But the whole book is a great reference for PKI planning, deployment and
    > operation.
    >
    > Good luck
    > DuskoS
    >
    >
    > "Zachary" <> wrote in message
    > news:...
    >> Thanks for the advice, I will follow that but I still have one question,
    >> can I have two servers acting as the Enterprise Root CA's in the same
    >> domain?
    >>
    >>
    >>
    >> I would like to run both the server 2008 and the server 2000 CA's side by
    >> side till all the certs expire on the 2000 machine and get new certs from
    >> the 2008 machine.
    >>
    >>
    >> "Dusko Savatovic" <> wrote in message
    >> news:...
    >>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
    >>> and later. OCSP is one improvement.
    >>>
    >>> 2. Use it on a member server. Best paractice recommends using offline
    >>> root CA's. If such CA is on a DC, the DC would have problems maintaining
    >>> synch with other DC's.
    >>>
    >>>
    >>>
    >>> "Zachary" <> wrote in message
    >>> news:...
    >>>> I have an old Windows 2000 Server that is a domain controller. I want
    >>>> to demote this server and rebuild it to be an archiving location. The
    >>>> only piece of software that I need to move off of it yet is the CA.
    >>>> Other than that it is just operating as a backup DC. I have many
    >>>> options on where to move it to, I was just wondering what would be the
    >>>> best choice. We have two other Win2000 servers, three Win2003 servers,
    >>>> and one Win2008 server. Which one would be recommended? Also, would it
    >>>> be wise to move the CA to another DC or would it be better to move it
    >>>> to a member server instead?
    >>>>
    >>>>

    >>
    >>
     
    Dusko Savatovic, Mar 24, 2010
    #5
  6. Another blog entry might be usefull.
    http://www.scottfeltmann.com/index.php/2010/03/02/move-root-ca-from-w2k3-to-w2k8/



    "Dusko Savatovic" <> wrote in message
    news:#...
    > Excerpt from the book about enterprise root CA's:
    >
    > <quote>
    > If you choose single-tier CA hierarchy deployment model (meaning one CA),
    > ensure that you deploy single enterprise root. Do not start deploying
    > enterprise root CA's for each application that requires certificates.
    > Deploying CA's in this manner typically leads to failed PKI deployments.
    > </quote>
    >
    > There is also an older KB article
    > http://support.microsoft.com/kb/298138
    > "How to move a certification authority to another server",
    > but this info is for Win 2000 and 2003
    >
    >
    >
    > "Dusko Savatovic" <> wrote in message
    > news:...
    >> I can recommend a book
    >> Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
    >> Chapter 7: Upgrading your existing Microsoft PKI.
    >>
    >> But the whole book is a great reference for PKI planning, deployment and
    >> operation.
    >>
    >> Good luck
    >> DuskoS
    >>
    >>
    >> "Zachary" <> wrote in message
    >> news:...
    >>> Thanks for the advice, I will follow that but I still have one question,
    >>> can I have two servers acting as the Enterprise Root CA's in the same
    >>> domain?
    >>>
    >>>
    >>>
    >>> I would like to run both the server 2008 and the server 2000 CA's side
    >>> by side till all the certs expire on the 2000 machine and get new certs
    >>> from the 2008 machine.
    >>>
    >>>
    >>> "Dusko Savatovic" <> wrote in message
    >>> news:...
    >>>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
    >>>> and later. OCSP is one improvement.
    >>>>
    >>>> 2. Use it on a member server. Best paractice recommends using offline
    >>>> root CA's. If such CA is on a DC, the DC would have problems
    >>>> maintaining synch with other DC's.
    >>>>
    >>>>
    >>>>
    >>>> "Zachary" <> wrote in message
    >>>> news:...
    >>>>> I have an old Windows 2000 Server that is a domain controller. I want
    >>>>> to demote this server and rebuild it to be an archiving location. The
    >>>>> only piece of software that I need to move off of it yet is the CA.
    >>>>> Other than that it is just operating as a backup DC. I have many
    >>>>> options on where to move it to, I was just wondering what would be the
    >>>>> best choice. We have two other Win2000 servers, three Win2003 servers,
    >>>>> and one Win2008 server. Which one would be recommended? Also, would
    >>>>> it be wise to move the CA to another DC or would it be better to move
    >>>>> it to a member server instead?
    >>>>>
    >>>>>
    >>>
    >>>
     
    Dusko Savatovic, Mar 24, 2010
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. klaissgl

    Move Public Folder- 'Move' option not listed

    klaissgl, Jul 10, 2008, in forum: Windows Vista File Management
    Replies:
    3
    Views:
    312
    Ramesh, MS-MVP
    Jul 29, 2008
  2. Duncs

    When is a Move not a Move?

    Duncs, Mar 28, 2009, in forum: Windows Vista General Discussion
    Replies:
    13
    Views:
    379
    LegendsOfBatman
    Apr 12, 2009
  3. Lorraine W

    WMP 10-What Happened to Move UP and Move Down?

    Lorraine W, Oct 18, 2004, in forum: Windows Media Player
    Replies:
    4
    Views:
    225
    Lorraine W
    Oct 26, 2004
  4. gumperman

    the 'move up' and 'move down' feature arrows.

    gumperman, Mar 8, 2005, in forum: Windows Media Player
    Replies:
    0
    Views:
    197
    gumperman
    Mar 8, 2005
  5. John

    Move Up & Move Down Arrows

    John, Feb 7, 2006, in forum: Windows Media Player
    Replies:
    2
    Views:
    191
Loading...

Share This Page