RE: [ActiveDir] Moving a Certificate Authority

[Laura A. Robinson]

 I've not looked at the log, but you can't just move a CA to another machine with the same name. You have to back up the old CA's keys and database and install Certificate Services on the new machine, performing an advanced setup and telling it that you have an existing key to use for the CA. After that, you import the database, etc.   Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, July 14, 2006 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority Here is the output file cert-ds.txt as requested.  To me, everything appears proper, but perhaps you might be able to glean more information from it than I can.   Thanks Steve.   ~Ben From: [EMAIL PROTECTED] on behalf of steve patrick Sent: Thu 7/13/2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds > cert-ds.txt" and send us ( or me )  the  text file.   steve ----- Original Message ----- From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue.   Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name.  It was at this point that clients became unable to request new certificates from the new CA.  I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help.  It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA.   Here is the one relevant entry in the event log that appears on the new CA server.   Source:  CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information.   Any thoughts? ~Ben   From: WATSON, BEN Sent: Wed 7/12/2006 3:27 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move.  I’ve run into what “should” be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server.  Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point.  For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, “Windows cannot find a certification authority that will process the request”. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients don’t seem to know where it is located.  The new certificate authority has the exact same name as the old certificate authority, and I backed up the old CA certs and keys along with a registry key and restored these on the new CA as directed in the KB article. Any advice on where to look to resolve this?  I did find KB271861 which talked about the same error I was getting, and I did not have the Enroll right given to Domain Users, however even after giving Domain Users that right it still has not changed anything.  Thanks, ~Ben   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 11, 2006 6:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority   Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3?  That way you don’t have to worry about the hardware not supporting 2003 or something terrible like that.  Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is.  Kevin Brunson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 11, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority   And will it ever be a slooooooow 2k3 machine indeed.  After continuing to do some reading and researching, it does appear that my only option is to… 1)    Upgrade the old DC to 2k3 2)    Backup the CA and the registry key as stated in the KB298138 article. 3)    Remove the CA services, demote server and rename it. 4)    Promote a 2k3 server with the same name as the old DC and install the CA services. 5)    Restore the CA data and registry key 6)    Cross my fingers and hope that I have a CA once again I’ll give this a shot tomorrow.  I just wonder what would be my backup plan should the CA restoration fail on the new server?  The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority   You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloooooooooow 2k3 machine?   You should keep the hostname the same - if you took the defaults  for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth.   my .02   steve ----- Original Message ----- From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority   As part of my on-going journey into upgrading a 2000 domain to 2003, I’ve run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then don’t pan out.  Here is the situation… I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native.  However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted.  It was originally a Windows NT 4.0 domain controller back in the day.  So I am in a situation where I need to take a Certificate Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 Server. As stated before, one KB article seemed to be the most promising KB298138.  However the instructions seem to be focused on moving a CA from a 2000 server to a 2000 server, or a 2003 server to a 2003 server. Is anyone familiar with the process of moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of moving the CA to a server with a different hostname than the original CA? Thanks, ~Ben