Certificate Authority migration? 1

[mlc9]

I have a one domain organization that has a 32-bit Win 2003 Server domain controller as a Root Cert Authority. As we migrate to a Win 2008 domain, I am needing to move to a new 64-bit Win 2008 Enterprise domain controller as the new Root Cert Authority.

I have read straight from Microsoft that doing a database migration from one server to the other will not work because of the 32-bit to 64-bit architecture. Is that entirely true?

If I can't migrate, can anyone please tell me if I can just make this new Win 2008 server an additional Root CA, and then just take my time as I re-point users to that, while others are still on the 2003 Root CA temporarily?

 

[kmcferrin]

If I can't migrate, can anyone please tell me if I can just make this new Win 2008 server an additional Root CA, and then just take my time as I re-point users to that, while others are still on the 2003 Root CA temporarily?

You can do this, but then you will have two trusted roots for the period of time that there is coexistence, and all of the headache that goes with it. Depending on the time left on the certificates currently in the wild you might be able to build the new CA, prevent the old CA from issuing and renewing certs, then let the new CA issue any new certs. Then as certs expire the clients will get them from the new CA. If the certs have a long lifetime yet (1 year or more) then you may want to go through an manually replace them so that you don't drag things out.

Remember, it's not best practice to have multiple root CAs in your environment, but it certainly can be done.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[mlc9]

I like the idea from kmcferrin, and this is one I had earlier considered.

Let me ask one thing about this plan, though. Let's say I do build the new CA, and even go as far as removing CA services from the old(current) 2003 server. New users/clients will obviously obtain certs from new server, but will those existing certs with time left on them be ok with its authenticating server basically no longer serving that roll (but still up, running, and on the domain)?

 

[kmcferrin]

Don't remove the CA services until there are no longer any certs in the wild issued by that server. If a client is unable to follow the certificate chain to the root, check for revocations, etc, then you will probably have issues.

In order to prevent the old CA from issuing new certificates you simply have to delete the certificate templates that are configured on the old CA. Just be sure that your new CA is up and running and ready to process requests before you delete the old templates, and ensure that anything that you have set up to handle enrollment uses the new server.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[mlc9]

Ok then, one final question (and thanks kmcferrin so far).

When setting up my new CA on Win 2008, I will want to make that a Root Authority server. Since the current Win 2003 CA is serving as a Root Authority CA server, is that going to be a problem to temporarily have two Root CA servers in same domain?

 

[kmcferrin]

It shouldn't be. Your PCs already trust multiple root CAs (Verisign, Thawte, etc). You'll just have two separate chains of trust.

Here's a KB on cleaning up the old CA when you're ready to decommission it:

http://support.microsoft.com/kb/889250

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator