How to gracefully replace an Enterprise Root CA?

Discussion in 'Windows Server' started by jasonboche, Mar 13, 2007.

  1. jasonboche

    jasonboche Guest

    I need a sanity check here.

    Environment:
    3 Win2k3 AD domain controllers, upon which there is:
    1 Enterprise root CA
    1 Subordinate CA
    Various certificates have been issued through the domain

    Problem:
    The AD domain controller which hosts the Enterprise root CA is severely ill
    and needs to be rebuilt.

    The Subordinate CA will continue to function handling certificates while the
    Enterprise root CA is down, however, what exactly is the procedure for
    rebuilding an Enterprise root CA when a Subordinate CA for the CA chain
    already exists?

    Obviously I do not want to lose all issued certificates, nor do I wish to
    rebuild the CA completely and go the process of re-issuing and re-installing
    new certificates.

    What's the best route here as I have never had to do this before and I
    haven't found it discussed in any of my text books or KB searches? I have
    some options as the root CA domain controller is still up and functional and
    I can back up the SystemState as needed but since the DC is being rebuilt
    from scratch, I don't believe I'm going to be able to restore the SystemState
    of an old server to a new server, particularly just the CA portion of
    SystemState. I know the root CA can remain offline in fact it's a best
    practice from the MS camp, however, I don't think that implies that a root CA
    can be taken offline for eternity with no ill effects. I'm afraid not
    rebuilding a root CA might bite me later down the road. For instance, I'm
    thinking that if I want to add an additional Subordinate CA, the root CA may
    need to be online for that to take place.

    Thank you in advance,
    Jas
     
    jasonboche, Mar 13, 2007
    #1
    1. Advertisements

  2. You can backup your old CA, then restore it on new server. But make
    sure, that DNS names of old CA computer and new computer are the same.
     
    Nick Domukhovsky, Mar 13, 2007
    #2
    1. Advertisements

  3. jasonboche

    jasonboche Guest

    --
    Jason Boche, MCSE NT4/2000/2003, MCSA 2000/2003, MCP, VCPx2, CCA, A+


    This went a lot easier than I thought. I guess it just takes a little
    experience with this procedure to be comfortable with it. I tested it out in
    my virtual lab and the backup/restore process using the CA GUI (and command
    line) went flawlessly. Don't bother trying to back up and restore
    System?State to restore only the CA.

    The procedure I followed:
    1. Back up the CA using the GUI tool (don't forget the password!)
    2. Back up the CA using the CLI (just in case)
    3. ntbackup System?State (just in case)
    4. Uninstall enterprise root CA from the domain controller
    5. dcpromo to demote from domain controller status
    6. Rebuild the domain controller from scratch (using the exact same
    computer/DNS name)
    7. dcpromo to promote to domain controller status
    8. Install enterprise root CA, during install, point it to the backup
    folder made in step 1 (use correct password!)
    9. Restore the CA from backup using the CA GUI tool.

    Jas
     
    jasonboche, Mar 28, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.