Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Moving Enterprise CA

Status
Not open for further replies.
buddafish

buddafish

Programmer
Apr 26, 2002
478
US
All -
I need to move my original Enterprise CA to some new hardware. I have the MS-KB steps to follow but am unsure if the Enterprise Root CA needs to be on a Domain Controller. This is the case at the moment and since the server is offline for a year at a time, it is ALWAYS out of date with Active Directory. Do I need to make the replacement box a DC? Or will a member server work as well? I have only 1 subordinate CA in the domain at the moment. Also, I will be moving on to W2k3 Active Directory in the next 3 months. Is it possible to move the Ent Root CA to a w2k3 member server and still have harmony with the w2k subordinate CA (which resides on a W2k-DC).

Thanks in advance - scottie
 
Sort by date Sort by votes
I can answer 2nd part of your question. The answer is yes, you can upgrade CA from 2000 to 2003.
You'd have to upgrade your current 2000 CA to 2003 before doing the move, or you can do the move onto existing hardware running 2000 and then upgrade that to 2003.

Regarding your 1st question, this is very tricky as your CA is a DC. This being an offline root CA is really bad. (it should have been stand-alone which is not depended upon AD)

The problem here is that your new machine has to have the same name as the old one for CA to work. With that said and being enterprise CA, you'd have to join your new machine to domain before being able to restore CA onto it. So that step itself would decomission your original CA-DC.

Whether it has to be a DC or not, i don't know. If you have the resources, then recreate this in your test enviroment on VMs and see if it worked.

Another thing that you have to keep in mind is that 2000 DCs did not care if they were unplugged for more than tombstone lifetime (which is 60 days by default).
2003 DCs will refuse to replicate with each other if they notice that replication did not happen between them for more than that time.

hope this helps.

Lukasz
Microsoft SME:DFS/FRS/DFSN/DFSR
 
Upvote 0 Downvote
Thanks for the reply Lukasz - your last point is one that I had not considered: 2k3 offline past tombstone life.

I may need to consider removing the subordinate then the root from the DC and start over with an stand-alone server model before pushing up to 2003.

Does anybody have any advice on this idea? Currently our environment does not rely on certs (we no longer use L2TP / IPSec tunnel - the reason i installed the cert server years ago) as far as I can tell.

Thanks again and Thanks in advance for any further information.

scottie
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
229
microsGuy16
microsGuy16
maybeimaleo
  • Locked
  • Question
Is There a Best Windows OS to Upgrade a CA Server to?
Replies
5
Views
139
maybeimaleo
maybeimaleo
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
394
gbaughma
gbaughma
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
90
juniper911
juniper911
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
114
StevenFromSouth
StevenFromSouth

Part and Inventory Search

Sponsor

Back
Top