Move Enterprise Root CA to new hardware
From: Opti_mystic_69 (anonymous_at_discussions.microsoft.com)
Date: 03/11/04
- Next message: Rob: "Certificate Server Hierchy Question"
- Previous message: jonathan: "Re: Restricting file saving."
- In reply to: Michael Baird: "Move Enterprise Root CA to new hardware"
- Next in thread: Michael Baird: "Re: Move Enterprise Root CA to new hardware"
- Reply: Michael Baird: "Re: Move Enterprise Root CA to new hardware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Mar 2004 13:13:32 -0800
Michael,
No, you are not missing anything. You are exactly right
with your modified procedure for moving the CA. I have
used this very same procedure (with very slight variation)
many times. It does work and you are right, there is no
way to test. However, you can backup the CA and restore it
onto a machine in the lab, and test the migration and the
functionality like that. The "Trusted Root" chain relies
upon (among other things) the name of the Server who is or
should be authoritative. If you can, have the new server
come up with the IP address of the old server as well.
Good luck. Just be grateful that this isn't Root CA of a
dozen or so subordinate CA's or you might have a bigger
problem
Opti_mystic_69
>-----Original Message-----
>I have to replace my Root CA machine since the hardware
is at end of
>lease.
>I found KB article 298138 at:
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;298138
>
>However, something in this article doesn't quite fit. In
brief the
>article outlines the following procedure:
>1) Backup the CA (and reg key)
>2) Install certificate services on the new hardware doing
Advanced
>install which will allow for restoring the backup to the
new machine
>3) Restore the reg key
>4) Verify the new hardware works
>5) Delete CA Keys from the old machine (using certutil)
>6) Remove Cert Services from the old machine
>
>The note at the end of the article says the new machine
and old
>machine need to have the same name, but how can they?
You can't have
>2 computer objects in AD with the same name and you can't
rename a
>computer with certificate services installed on it.
>
>Once I load certificate services on the new box I can't
rename it.
>I can't give it the same name as the old box unless I
remove
>certificate services from the old box first so that I can
rename it in
>(or remove it from) the domain.
>
>I think the only way I can do this would be like this
instead:
>1) Backup the CA (and reg key)
>2) Delete CA Keys from the old machine (using certutil)
>3) Remove Cert Services from the old machine
>4) Remove the old server from AD (or rename it)
>5) Join the new server to AD with the same name as the
old server
>6) Install certificate services on the new hardware doing
Advanced
>install which will allow for restoring the backup to the
new machine
>7) Restore the reg key
>8) Verify the new hardware works
>
>The only problem with this is that it precludes testing
and there
>would be no way to bring the old server back in the event
of
>problems....
>
>Should this article be retitled 'Catch-22'?
>Am I missing something?
>Comments or suggestions anyone?
>.
>
- Next message: Rob: "Certificate Server Hierchy Question"
- Previous message: jonathan: "Re: Restricting file saving."
- In reply to: Michael Baird: "Move Enterprise Root CA to new hardware"
- Next in thread: Michael Baird: "Re: Move Enterprise Root CA to new hardware"
- Reply: Michael Baird: "Re: Move Enterprise Root CA to new hardware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
