Well, I’ve been trying to write this article for about a month now and finally had some time to sit down and type it out. I was inspired by this article when I had a client request to move their Root Certificate Authority on a Windows 2003 Domain Controller to a new Windows 2008 Domain Controller. To be honest, there really isn’t anything to it but the information I found out on the net wasn’t that great so I thought I would provide the world with some info on how to perform this process.
The Client setup involved a Windows 2003 domain controller that was acting up. On this DC was their Root Certificate Authority for their entire Active Directory environment. The client is small and does not have any special requirements for an Enterprise CA and wanted to move their CA to Windows 2008 Active Directory Certificate Services.
The key principles here are that we need to move the private key associated with the Root Certificate Authority and also the Certificate Authority Database. When moving a certificate Authority we need to preserve the CA name in the environment, otherwise nothing will work! The clients will not be able to locate the CA nor will the Root certificate match up with the certificates. Things just won’t be trusted.
To get started I reviewed the Support Article on How to move a certification authority to another server to backup the existing Windows 2003 Root CA Info. I first used the Certificate Authority snap-in to backup the CA database and private key. To perform the backup follow these steps:
- In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
- Click Next, and then click Private key and CA certificate.
- Click Certificate database and certificate database log.
- Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.
- Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.
- Type and then confirm a password for the CA private key backup file.
- Click Next, and then verify the backup settings. The following settings should be displayed:
- Private Key and CA Certificate
- Issued Log and Pending Requests
- Click Finish.
Next we have to save the registry settings. To save the registry settings perform the following:
- Click Start, and then Run. In the Run field type regedit and click Ok
- Locate and then right-click the following registry subkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration (While you are here, why not take a look at the settings, take a screen shot, make sure they match up in the end)
- Click Export
- Save the Registry file in the CA Backup folder that was defined above
Now that we have the database, certificate and registry backed up the next step was to remove Certificate Services from the old computer. This process is pretty straight forward. Go into the Control Panel, Add/Remove Programs, Windows Components and remove the Tick from Certificate Authority. Note Be sure to remove the Certificate Authority from the old computer prior to deploying Certificate Services on the new machine. If you deploy AD CS first the target CA will become unusable.
Finally, rename the old server or permanently disconnect it from the network.
In the step above I took the existing Domain Controller, removed the Certificate Services from it and then performed a DCPromo to remove Active Directory from the computer. Once the computer was no longer a domain controller I renamed the old server. I wanted to keep the server online for a fail back just in case, which wasn’t necessary since the move went over successfully!
Now, looking at where we stand right now I had the database, the Private Key and the certificate authority database backed up. The data I backed up above should be copied to the new server that will be used for Active Directory Certificate Services. This will need to be imported below. Now, the next step is to deploy Active Directory Certificate Services on the Windows 2008 domain controller. BTW I should point out that when deploying Active Directory Certificate Services that you should use Windows 2008 Enterprise edition. W2K8 Enterprise gives you more functionality of your Certificate Services. For a list of features in Windows 2008 Standard vs Windows 2008 take a look at this link: Active Directory Certificate Services Step-by-Step Guide. If you scroll down a bit you will see a comparison chart which will note which features are available with which version of Windows you use.
Now, let’s move on to the part where we deploy and restore the Certificate Services. Log on with local or enterprise administrator permissions to the CA computer and perform the followign:
- Launch the Service Manager for Windows 2008.
- In the console tree, click Roles.
- On the Action menu, click Add Roles.
- If the Before you Begin wizard appears, click Next.
- In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.
- Make sure that Certification Authority is selected, and click Next. (Note: If you are going to use Web Enrollment make sure to check this box. You can always add it later but Why not add it now? All the required roles will also be installed when you check this box since you will get a list of Add role service required)
- Select Enterprise and click Next. (We are doing this because this is an Enterprise Root CA that will integrate with Active Directory. Just like the one I decommissioned. Best practice is to have a Standalone Root CA but given the size of this organization they are not too concerned with having a Standalone Root CA.)
- Specify Root and click Next. (If the CA you’re moving from was a Subordinate CA then we would want to tick the Subordinate CA option. But since in my example this is a Root CA we are sticking with root. Keep in main that if you’re coming from a Root CA or a Subordinate CA this option must match with what you’re coming from.)
- At this stage, you have a choice between creating a new private key or using an existing private key. For a migration, on the Set Up Private Key page, select Use existing private key and choose Select a certificate and use its associated private key.
You should have something that looks like this:
Click Next and continue the steps below:
- If the CA certificate we backed up above has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
- Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.
- Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK. Select the Certificate that was just imported and click Next
- When choosing your path you can either use defaults or browse to new ones. Once done click Next
- Complete the installation of the AD CS
- Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)
Congratulations, you’re almost there! We have deployed Active Directory Certificate Services on Windows 2008. There are still two more steps that must be completed. This is the process of restoring the Certificate Authority Database that was backed up in the first section and restoring the registry component.
To restore the registry simply locate the registry value that was saved above, right click the file and select merge. This will import the Registry settings to the W2K8 server. Next we have to restore the database. You can check to make sure the settings were imported correctly by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and verify your settings are there. (Remember that screen shot?)
To restore the database and log files perform the following:
- Open Server Manager on the Windows 2008 Server.
- Expand Roles and then Expand Active Directory Certificate Services.
- Locate the name of the CA you just deployed.
- Right Click the CA name and select Restore CA…
- You will get a warning message that the AD CS cannot be running to perform this action. Simply click Ok to stop AD CS. AD CS will begin to stop
- On the Wizard click Next
- On the Items to Restore screen check the box Certificate database and certificate database log only. Click Browse to locate the database that was copied over above. (Note: I need to point out here that you select the folder you backed up to. i.e. if you backed up the database and logs to C:\Temp\CABackup then this will be the folder you will restore from. The backup process will create a subdirectory that it will look for during Restore, if you go one folder too deep the restore will fail.) Once you have located your backup click Next.
- On the completion screen click Finish and the restore will begin.
- Once the restore is complete you will receive a action box that asks if you would like to restart the AD CS. Simply click Yes. (We shouldn’t have any incremental backups since we are doing a migration.)
- Once the AD CS service is restarted we are good to go!
Well, what do you guys think? Worth the effort? Migrating to W2K8 AD CS will help your CA remain alive much longer. During this process I also had to renew the CA Certificate which was pretty much easy.
I hope this article will help someone out there, I know I was able to get through it but had to go to a couple of different sources to get the exact process down.
Enjoy!
Hi Mike, you can rename the server, follow the KB article you found, I believe I know which one you are referring to.
Keep in mind updating DNS and security though.
Thanks Scott, I will give it a try, I hope it works! I will report back hopefully with good news, thanks!
Great Article Scott, Just in 10 minutes of reading, makes a otherwise huge task very easy looking. I will perofrm the same. But just for informtion that my CA is on a separate member server. I beleive that every step willbe same?
Thanks a lot
Anwar A.Siddiqui
Hi Anwar,
Everything will be the same if the CA is on a seperate member server. Move the server to the new server with the same name as the old.
Hi Scott,
We want to migrate our CA from windows 2003 x86 to windows 2008 x64. But from some other materials, people suggest that this may failed. So in your article, did you migrate from 2003 x86 to 2008 x64, or 2003 x86 to 2008 x86? That’s very important to us. Thank you!
Ryan
Great article worked great got a little hung up on the restore. But then figured out that I also needed to move the Database folder from the original backup location not just the *.p12 file. But really nice and easy to follow
yeah I want to know if I can migrate from a 2003 32 bit to a 2008 R2 64bit ? Microsoft materials says NO… tho… any ideas ?
What happens if there’s no CA in the whole domain anymore ?
Hi Ryan, Yes in my attempts I have gone from 2003 to 2008 x64 without any trouble at all! Hope this helps.
Greg, Glad the article was of use! Thanks!
George,
I have moved a 32-bit CA to a W2K8 64-bit quite a few times now and have never ran into a problem.
If there is no CA for the domain you will lose your auto enrollment and what ever other services you use for your domain.
Tietze,
You menitioned that you changed a line, “We’ve just changed a line on the registry that directed the CA Server name to the old one.”. What line did you change? I am finding that there are numerous references in the registry export to the old server FQDN. Did you change them all, note that I am replacing an Enterprise Domain CA.
Tietze
I understand that your procedure works only when the new server gets the name of the old server.
Is there a way to migrate from server 2003 name AAA to server 2008 name BBB by keeping BBB name?
Or what kind of procedure is in my scenario best practise?
(Deleting old, how? Creating new,…)
Juergen
I’ appreciate help to recover from doing this the wrong way. I have a W2003 Enterprise server (not a DC) which has been a CA for a long time, but has not been used much. Without backing up or removing this server, I added the CA role to a new Windows 2008 R2 Standard Edition Domain Controller. Now the Enterprise PKI node on under the CA role on this server shows the two CAs. The certs issued by the old server have all expired or are no longer needed. We only use our CA to issue certs to internal servers. What is the best way proceed form here? Is it OK to simply remove the old CA? As an alternative, I could use the procedure above and move the old CA to a new server. In that case, will removing the CA role from the new DC will break anything?
Thanks in advance.
You could revoke all the certificates from the old CA and decomission the old CA. Then you would have to reissue certificates from the new CA.
Juergen,
if you want to migrate a CA from computer named AAA (windows 2003) to computer named BBB (Windows 2008/R2), then you should visit the following page:
http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/
There are a few more steps needed to get new CA server (with new computer name) to work properly:
- Edit the registry
- Edit the ACLs on AIA and CDP containers in AD
- Add CRL point with the OLD servers name in path (usually only LDAP and HTTP)
- TEST PUBLISHING CRL and Delta CRLs is a MUST !!!
I had issues migrating my CA, because of all this changes, and really, there is a good article on technet, but I think the link I provided you should be sufficient.
Scott, great article anyway !
Regards,
Andrija Panic
http://technet.microsoft.com/en-us/library/cc755153(WS.10,printer).aspx
The above article states that prior to moving the CA from w2k3 to w2k8R2, you must either upgrade the current W2k3 CA server to w2k8 before you backup the CA – OR – build the new server as W2k3, move the CA to it, and THEN, upgrade the new server to W2k8.
The article is specific to W2k8, but I plan on using W2k8 R2, not sure if that makes a difference.
Any comments on this?
Thanks
Hi Alice,
I have done the move a number of times now using the process in the article without any problem what so ever. This includes moving from an x32 W2K3 to a x64 W2K8.
I am not aware of any core differnence between AD CS on W2K8 and W2K8 R2.
Having said this I don’t foresee any problems migrating the CA to a W2K8 R2 server.
I would recommend going with a Stand Alone Server running AD CS by not running AD DS on the server.
Hi Scott,
Our CA is on windows 2003 x86 DC, and we want to migrate it to a windows 2008 x64 member server, because there will be some changes to the PKI. We don’t know whether this plan is workable? I need your suggestion, thank you!
Ryan
Ryan,
Are you planning on moving using the guide or are you looking to move to an entirely new server with name? If you use the guide you shouldn’t have any problem.
Or are you thinking of deploying an entirely new PKI Infrastructure?
Thanks for the response. Couple clarification questions…..
So you are saying that the section of the article referring to upgrading the source server prior to the CA backup is not necessary? I can just backup the CA from the 2003 server and restore it to the new 2008 server?
Also, regarding your last sentence…
‘I would recommend going with a Stand Alone Server running AD CS by not running AD DS on the server.’
Do you mean that the new CS server should be a member server, not a DC?
Thanks
Hi Alice,
The new CA server should run only the CA and be a member domain. There are some situations where you will want a stand alone root CA and then have a subordinate. You can have a CA on a DC but I have seen a few issues with Domain Controllers having issues which result in a corrupt CA.
Yes, you can backup the CA on 2003 and then restore the Backup to the newly deployed Windows 2008 CA with the same server and CA name.
Alice,
I You can run the CS as a standalone Domain Member and not deploy AD DS to the box. Either way will work. I have seen some instances where the DC corrupts and the CA goes away and is very difficult to recovery.
You do not need to upgrade the W2K3 server. You can backup the CA and import it to the W2K8 Server with the same name as the old W2K3 server.
Hope this helps.
Hi Scott,
I want to upgrade my Win2K3 R2 DC to be a Win2K8 R2 Memeber server in a small domain. The Win2K3 box is currently the CA. I want to reformat and reuse the same hardware instead of migrating to new hardware with the same name. I would give the reformatted PC the same name as the previous installation. Are there any problems with my approach? We can afford to have certificate services offline for a saturday while I install Win2K8 R2, but I want to make certain that i am not overlooking something that makes this a bad plan… all the documentation I’ve been reading indicates using separate hardware to migrate the CA to, with a heavy reco to name that separate hardware the same as the original server. Thanks for sharing your experience!
Hi Jeremy,
I don’t see a reason why that wouldn’t work. My only concern would be the original files would be lost.
As long as you have a good backup of the CA and the server name remains you should be fine.
Hi, Scott,
Small question, does the name of the new server need to be the same as the old one?
thanks in advance
Maarten, I would recommend it. there is away to do a different server name but it requires additional steps.
Dear Scott,
I’m always interested to know how to do this…
thanks in advance
regards
Maarten
Hi Scott,
Does this process also work on non-domain controller Servers? For example, I am moving from a 2003 box to a 2008 box, BOTH of which aren’t Domain Controllers.
Thanks!
Marrten, Andrija Panic above has a link to the URL to change the server name. There are some registry and domain tweaks that need to be performed.
Hi Scott, I also used the article at: http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/#comment-361
and it worked just fine, migrating from 2003 R2 STD to 2008 R2. And definitely didn’t need to change the hostnames.
Thanks Scott for all your effort and willingness to share.
Hi Scott,
A very good and informative article. I am in just about the same boat at my company. Our Root CA is on a domain controller I want to decommission, but need to migrate the Enterprise CA first. However, I simply want to move the CA to a member server running the same OS (2003 RS), but want to keep the original in tact until I can confirm that the migration and new server will work. I would like to have the new server keep the same name as the current DC for simplicity’s sake, but am unsure of how or when to name the new server and join it to the domain without screwing up the current server’s object. Do you have any info/tips on this step of the project that I can use?
Thanks!
Hi Jim,
You cannot have the same CA running on two computers. You could deploy a new CA in your org that is AD intergrated or you can migrate the CA from your existing server to a new one. You could also do a subordinate CA with a certificate issues from the parent but you will still need to move the Root cA eventually.
Granted, nothing bad will happen if your CA if unavailable for a short time.
So, you do have a few options.
Thanks for the info, I suspected as much. I was hoping to be able to keep the old root CA server in tact just in case there are issues with the replacement. So in essence, we have to backup the info from the old one first, unjoin from the domain, and remove from the network, then we can join the replacement to the domain using the same name and perform the restore/recovery operation, correct?
Hi Scott,
We have a failing 2003 DC with CA services on it. I need to remove the CA services from the bad DC so that I can remove the DC from our domain. Can the CA be moved to a 2008 server even though the domain is Native 2003?
Hi Sean,
Yes, you can move the CA to a W2K8 server even with a Native 2003 domain.
This was an awesome and straight forward walk through. Thanks for your help.
thanks, very helpful
Nice Article Scott! We just lost our 2008R2 DC CA Server. The backups of the server were older than when our current certs were issued. I have copies of our current certs with private keys, but can not figure out how to import them back into the database to show them as issued by this older restored server. CertUtil looks like it may be the right tool, but too many switches to choose from and I get the feeling they may actually be importing to the local computer’s certificate store, not the CA database. Anyone got Ideas?
Hi Todd, It is never easy is it.
Check out my article here: http://www.scottfeltmann.com/index.php/2010/09/28/move-root-certificate-authority-from-a-failed-windows-server-2003-domain-controller-to-windows-server-2008/
This article talks about moving a CA from a failed DC. If you can access the HD you should be able to recover your CA DB.
OK, I followed your instructions and I am having an issue where the new Win2008 CA is not able to connect to the restored database. The database does restore fine, but once I start the CA services I am getting the error “The RPC server is unavailable” and after a few minutes the CA service will stop. Any ideas? Thanks
Great article! Before I attempt this I’d appreciate some additional clarifications.
Since we need to hand out certificates, that are not linked to our domain, we have a Windows Server 2003 SP2 (not a member of our domain) that does this. I need to move this stand-alone CA to a 2008 R2. What changes, compared to this article?
Ok, it looks like I got it working. It was an issue with the database and I just followed the instructions in KB 2011458 and let the database run for a while, took about 2-3hours. And it started working.
Thanks
CypherBit, the process should be the same as with a domain member joined machine.
I would however suggest a two tier PKI with an offline Root CA (sorta what you have now) and an issuing domain joined CA that is online.
I actually have a fully functional two tier PKI for our own needs/domain. I’m not migrating that.
We have another standalone/workgroup CA server used for external customers, that is in no way tied to our domain PKI and this is the one I need to migrate. All the articles I come across only discuss the first one…
Gotcha, the process will be the same, keep the name, export the cert, import the cert, backup the database, etc, etc.
Hello Scott,
first off all, congratulations for a great job.
I explain…
I have SRV1 –> WS2003x86 PDC, DNS, DHCP, CA.
I also have SRV2 –> WS2008R2x64 DC, DNS.
My plan is decomission/remove SRV1.
Then, the first step will be move DHCP from SRV1 to SRV2.
The second step will be move CA from SRV1 to SRV2.
Actually, CA is Standalone, and I prefer to maintain Standalone. (your steps are for CA enterprise, but I supposed that are the same for Standard).
The name of the CA is “SRV1″, that is the same name of the server, “SRV1″.
When I move the CA to SRV2, I can maintain the name of the CA “SRV1″, when it will be in SRV2¿? (I supposed that it has supported, because If I make an import (such you explain) I will import also the old name).
Another question, a part of this, is, during the time that the CA has been removed from SRV1 and I deploy the new CA in the SRV2 (with your steps) some functionalities are lost¿?
Such TLS communication between to host on the same network that use certificates issued for the CA¿? (I don’t think so) .
Well, thanks in advanced!
Hey Scott…I really don’t want to keep the same name and change the hostname of the new DC. Is it possible to just remove CA services off of a domain controller and install it on a new DC? What are the side effects of doing that?
Our situation is that we have a DC that will probably soon die running Win2003 and a new box running Win2008. I want to just completely remove the DC part of that box and utilize the file services running on it, so I can’t change the name as it will break all of our UNC paths.
Joey, best practice is to deploy the Certificate Authority on a stand alone domain member. You can add an offline Root but that is a different story.
To Decomission a CA you will want to follow the steps here: http://support.microsoft.com/kb/889250 and this document that adds content to the support site: http://blogs.technet.com/b/pki/archive/2009/01/18/how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects-from-windows-server-2003.aspx.
Once your AD environment is clean you can then deploy a new CA on the W2K8 server. I recommend a domain member not running any other services. I have seen a lot of issues where a CA is deployed on a DC and problems start up if the DC has problems.
Keep in mind all the certificates you deployed from the CA will need to be revoked and reissued from the new CA.
Nacho,
You if you are changing the name of the CA during the migration you will need to do some manual edits to the CRL distibution points and verify the changes are done in AD Sites and Services. Once done you will want to publish the CRL and AIAs and verify permissions.
Another note is that you will be better off putting the CS on a seperate member server if possible. I have seen problems come up with putting CS on a DC.
Scott
This looks like the article I’ve been looking for.
My CA is on W2k3 DC which also requires migration to an alternative virtual environment(away from vmware).
In summary then you are suggesting straight move from W2K3 to W2k8R2x64 is possible using the methods above but are recommending the CA is no longer a DC? Can I also check that the existing certificates will remain valid even if the CA has a different machine name?
Thanks