Announcement

Collapse
No announcement yet.

Moving Certificate Servers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Moving Certificate Servers

    I have a network running Windows 2003 and Exchange 2003, all with the latest service packs. I have recently added a second domain controller to the network.

    The original domain controller has been set up as a certificate authority using an internally generated certificate by my predecessor. I need to move the certificate authority to my new domain controller, but I'm unsure how best to do this and have a number of questions.

    1. When installing the certificate services to the new domain controller, which type of CA should I choose ? (Enterprise, subordinate, stand alone ?)
    2. Once installed, can I simply backup the existing certificate and restore it to the new server ?
    3. What is the recommended way of removing the original servers certificate services to ensure I don't run in to any problems ?
    4. When I rebuild the original server and do this process in reverse, do I need to keep the same server name that it currently has or will this cause any problems ?
    5. Will there be any impact on OWA which is where the certificates are employed ?

    Apologies for the large number of questions, but I have little experience in certificates.

    Kind regards,

    Eddie

  • #2
    Re: Moving Certificate Servers

    Never actually done this before but take a look at this:

    http://support.microsoft.com/kb/555012

    Have a read and if you have any more questions post back and I'm sure someone will know the answer.

    Hope this helps

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Moving Certificate Servers

      Thanks for getting back to me. I saw the article you mentioned earlier and had a read through it. I've read through it again trying to understand it fully.

      Currently, our network is running in Windows 2000 mixed mode. I can change this to Windows 2003 native fine as I've done this before. I also understand how to backup my existing CA and the appropriate registry key and remove an old DC after I have transferred the FSMO roles to my new DC.

      I start getting confused with adding an alternate name to the new server and what a primary server is - unless it means the PDC FMSO role.

      My other concern is that I don't have a test environment in which to check this will work. Is anyone aware of another way of doing this or had success using this article ?

      I am still unsure which type of CA to install as well seeing as it isn't mentioned in the article.

      Kind regards,

      Eddie

      Comment


      • #4
        Re: Moving Certificate Servers

        Had a change of plan and decided to disable the existing certificate authority and create a new one on the new server. Seemed like the simplest change to make and seems to be working fine now.

        Comment


        • #5
          Re: Moving Certificate Servers

          Nice one mate,

          glad it's sorted and cheers for posting back

          Thanks

          Michael
          Michael Armstrong
          www.m80arm.co.uk
          MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: Moving Certificate Servers

            Does anyone know if you decide to take the new server route and not transfer the CA, can you at least backup the certificate store/certs? If this is the more simple method, then why would anyone take the Microsoft method?

            thanks

            Comment


            • #7
              Re: Moving Certificate Servers

              Originally posted by chm0dvii View Post
              Does anyone know if you decide to take the new server route and not transfer the CA, can you at least backup the certificate store/certs? If this is the more simple method, then why would anyone take the Microsoft method?

              thanks
              As long as all you have is a single certificate issued probably for OWA, you can go the route of creating a new CA.
              The problem starts when you have CA fully dpeloyed and certificates issued that are used for authentication/encryption/etc... If you remove the old CA, the certificate chain is broken and the client certificates can not be verified against the CA.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment

              Working...
              X