I am mostly
complete with the domain upgrade and the subsequent certificate authority
move. I’ve run into what “should†be the final problem before I
can say everything is now successful.
I have moved the
Certificate Authority from one Windows 2000 Server to another Windows 2000
Server. Everything appears happy on the new server running as a new
certificate authority; however domain clients are unable to request a
certificate at this point. For instance, when attempting to request a
user certificate from a Windows 2000 member server, I get the pretty
standard error message stating, “Windows cannot find a certification authority that
will process the requestâ€.
I have followed the
instructions from KB298138
in the Windows 2000 section and while the certificate authority itself seems
happy, all the clients don’t seem to know where it is located. The
new certificate authority has the exact same name as the old certificate
authority, and I backed up the old CA certs and keys along with a registry
key and restored these on the new CA as directed in the KB
article.
Any advice on where
to look to resolve this? I did find KB271861
which talked about the same error I was getting, and I did not have the
Enroll right given to Domain Users, however even after giving Domain Users
that right it still has not changed anything.
Thanks,
~Ben
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, July 11, 2006 6:48
PM
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority
Have you thought
about putting a new server (or an older one with good hardware) in the mix
as 2000, moving the CA to it, and then upgrading it to 2k3? That way
you don’t have to worry about the hardware not supporting 2003 or
something terrible like that. Then if you want you could move it from
that 2003 server to another 2003 server, or you could just leave it where it
is.
Kevin
Brunson
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority
And will it ever be
a slooooooow 2k3 machine indeed. After continuing to do some reading
and researching, it does appear that my only option is
to…
1)
Upgrade the old DC
to 2k3
2)
Backup the CA and
the registry key as stated in the KB298138 article.
3)
Remove the CA
services, demote server and rename it.
4)
Promote a 2k3
server with the same name as the old DC and install the CA
services.
5)
Restore the CA data
and registry key
6)
Cross my fingers
and hope that I have a CA once again
I’ll give this a
shot tomorrow. I just wonder what would be my backup plan should the
CA restoration fail on the new server? The old server will have been
demoted and removed from Active Directory along with the CA services
removed, not to mention a new server now has its name.
Thanks for your .02
Steve, it seems to be spot on.
~Ben
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To:
ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority
You cannot move from 2000 to
2003 as the database has changed. You could upgrade to 2k3 ( this would be
temporary ) and then move to another 2k3 server. I know that you said that
the HW was old - but perhaps a temporary sloooooooooow 2k3
machine?
You should keep the hostname the
same - if you took the defaults for install ( 90% of CA's out there )
then you have paths in all of your issued certs which hardcode to this
server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I
think that the article doesnt mention moving to a new name, because it would
vary from customer to customer and cause more trouble then its
worth.
----- Original
Message -----
Sent:
Tuesday, July 11, 2006 3:08 PM
Subject:
[ActiveDir] Moving a Certificate Authority
As part of my
on-going journey into upgrading a 2000 domain to 2003, I’ve run into the
issue of moving the Certificate Authority on one of the original domain
controllers to a new Windows 2003 domain controller.
I have found a
couple KB articles that seem to put me down a good path, but then don’t
pan out. Here is the situation…
I am at the point
in the domain upgrade process where I need to eliminate the Windows 2000
Servers from the domain so I can raise the functional level to 2003
native. However, the CA is currently on such old hardware that an OS
upgrade to Windows 2003 from Windows 2000 is simply not possible so it
will need to be demoted. It was originally a Windows NT 4.0 domain
controller back in the day. So I am in a situation where I need to
take a Certificate Authority from a Windows 2000 Server, and transfer that
over to a Windows 2003 Server.
As stated before,
one KB article seemed to be the most promising KB298138.
However the instructions seem to be focused on moving a CA from a 2000
server to a 2000 server, or a 2003 server to a 2003
server.
Is anyone
familiar with the process of moving a CA from a 2000 DC to a 2003
DC? Also, is there a possibility of moving the CA to a server with a
different hostname than the original CA?
Thanks,
~Ben