MarkJonesParticipantJanuary 17, 2018 at 7:14 am #167385
I’m hoping someone can assist with this. Have been upgrading to Server 2016 and Exchange 2016 from SBS2011. My progress so far is… Added an additional DC running Server2016 This DC also has an SQL instance running on it and I enabled “Windows Essentials Experience. I have installed another Server 2016 server running Exchange 2016, All email services, mailboxes etc are running from Exchange 2016. (Outlook Anywhere using go daddy cert).
I want to decommission the SBS2011 domain controller, but as with any SBS box it blocks the DCPROMO until Certificate Authority Services role is uninstalled……This is my problem!!!!
When enabling Windows Essential Experience on the new 2016 DC, it automatically enabled/installed the new 2016 DC to be a Certificate Authority, so now I have 2 CA in my domain…argh. The original SBS2011 box has a few certs issued, E.G Domain Controller/Client Authentication and a couple of EFS ones (I don’t believe the users would have used ERS on their documents) On the new 2016 DC the Certificate Authority has issued 2 certificates, 1 which is CA Exchange(CAExchange) which expired on 19/10/2017 and another certificate which is “Windows Server Solution Computer Certificate Template” this one has an expiry date of 10/10/2022
Normally I would backup the existing setup and move it over to the new DC using this guide… http://www.itprotoday.com/management…-ca-another-dc
But my situation is now rather different as the new 2016 server already has CA running. I very concerned I may break something if I backup and restore over the top of this new 2016 CA seeing as its already issued cert for “Windows Server Solution Computer Certificate Template”.
Not sure the best option to take….
Decommission old CA and start using new CA only?
Merge the two leaving the new 2016 CA in place?
Revoke the issued cert on 2016 CA and the run the migration process as shown in the link above?
Or something else if you guys have a better/correct solution.
Please can someone advise. Please Please Please
pjhutchMemberJune 1, 2018 at 7:08 am #312784
You should not have two Enterprise CAs. The solution is decommission the old CA, and only use the new CA and re-enrol any new certificates that had used the old CA. You can use GPOs to ensure all required servers are enrolling from the new CA and you can also push out the new CA root certificate to computers and servers.
Existing certificates will continue to work but will not be able to verify CRL (certificate revocation list) or issue new certificates from the old CA. REplacing the old certificates shouldn’t take long. Templates can be exported and imported to the new CA.
You must be logged in to reply to this topic.