CA Move

Discussion in 'Server Security' started by Zachary, Mar 24, 2010.

  1. Zachary

    Zachary Guest

    I have an old Windows 2000 Server that is a domain controller. I want to
    demote this server and rebuild it to be an archiving location. The only
    piece of software that I need to move off of it yet is the CA. Other than
    that it is just operating as a backup DC. I have many options on where to
    move it to, I was just wondering what would be the best choice. We have two
    other Win2000 servers, three Win2003 servers, and one Win2008 server. Which
    one would be recommended? Also, would it be wise to move the CA to another
    DC or would it be better to move it to a member server instead?
     
    Zachary, Mar 24, 2010
    #1
    1. Advertisements

  2. 1. Use Win 2008. Certificate services are greatly improved in Win 20078 and
    later. OCSP is one improvement.

    2. Use it on a member server. Best paractice recommends using offline root
    CA's. If such CA is on a DC, the DC would have problems maintaining synch
    with other DC's.
     
    Dusko Savatovic, Mar 24, 2010
    #2
    1. Advertisements

  3. Zachary

    Zachary Guest

    Thanks for the advice, I will follow that but I still have one question, can
    I have two servers acting as the Enterprise Root CA's in the same domain?



    I would like to run both the server 2008 and the server 2000 CA's side by
    side till all the certs expire on the 2000 machine and get new certs from
    the 2008 machine.
     
    Zachary, Mar 24, 2010
    #3
  4. I can recommend a book
    Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
    Chapter 7: Upgrading your existing Microsoft PKI.

    But the whole book is a great reference for PKI planning, deployment and
    operation.

    Good luck
    DuskoS
     
    Dusko Savatovic, Mar 24, 2010
    #4
  5. Excerpt from the book about enterprise root CA's:

    <quote>
    If you choose single-tier CA hierarchy deployment model (meaning one CA),
    ensure that you deploy single enterprise root. Do not start deploying
    enterprise root CA's for each application that requires certificates.
    Deploying CA's in this manner typically leads to failed PKI deployments.
    </quote>

    There is also an older KB article
    http://support.microsoft.com/kb/298138
    "How to move a certification authority to another server",
    but this info is for Win 2000 and 2003
     
    Dusko Savatovic, Mar 24, 2010
    #5
  6. Dusko Savatovic, Mar 24, 2010
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.