Ca Authority - Retire Server - Migrate to new server

Discussion in 'Active Directory' started by Kyle BLake, Mar 27, 2009.

  1. Kyle BLake

    Kyle BLake Guest


    I am retiring an old server which is a DC and a Certificate authority for
    our domain. We run Exchange 2007 and we use the CA to encrypt files on end
    users laptop.

    Does anyone have document on how to retire the old CA and enable a new one?
    Any tips?

    So far I have these steps

    On new server - which is a dc + gc
    Kyle BLake, Mar 27, 2009
    1. Advertisements

  2. Paul Bergson [MVP-DS], Mar 27, 2009
    1. Advertisements

  3. Kyle BLake

    Kyle BLake Guest

    Thanks Paul,

    I gave a quick read of your "decommision a DC" and the other KB link.

    Neat site you have there with advice.

    The old DC is a physcial server the new one is a virtual server.

    I still want the old DC to be a DFS site but not a DC OR CA authority
    anymore. So the KB article thinks I am completely shutting down and deleting
    the old server account.. Thats not the case with my scenario.

    I thought it would be straight forward just enabling a new CA in a domain or
    running two at once or something to that affect and then just turning off one
    whenever. Didn't realize it's a tricky regedit, delete account, backup
    certificate, re-import, check new registry etc etc etc.
    Kyle BLake, Mar 27, 2009
  4. Kyle BLake

    Marcin Guest

    Marcin, Mar 27, 2009
  5. Kyle BLake

    Kyle BLake Guest

    Now I get It!
    I literally have to shut off the old server and remove it permanetly!
    So backup all cert stuff and full dc, or better yet snap it since it will be

    Then uninstall certificate services
    dc promo and demote
    remove all accounts and references, ad users and computers + sites and

    Then go to new server which is part of domain and a DC already and run
    dcpromo to demote it. Then wait for replication, then while still part of

    Run DC PROMO , wait for REPLY
    Install certificate services
    Then follow KB55012

    Thats the method I plan on using, sound about right?
    Kyle BLake, Mar 30, 2009
  6. You will need to migrate the old CA to the new server, but in order to keep
    the certificate trust valid, the new server must have the same fully
    qualified name as the old server.

    How to move a certification authority to another server:

    HOWTO: Move a certificate authority to a new server running on a domain

    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht [MVP], Apr 10, 2009
  7. Kyle BLake

    Kyle BLake Guest

    Thanks for your help!

    Kyle BLake, Apr 15, 2009
  8. MS-KBQ298138_How to move a certification authority to another server
    MS-KBQ555012_HOWTO Move a certificate authority to a new server running on a
    domain controller
    MS-KBQ889250_How to decommission a Windows enterprise certification
    authority and how to remove all related objects from Windows Server 2003 and
    from Windows 2000 Server



    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    Jorge de Almeida Pinto [MVP - DS], Apr 17, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.