none
Move Certificate Services from a DC to a Standalone

    Question

  • We have a 2008R2 AD Catalog Server that has all of the FSMO roles. It is also configured as an Enterprise CA. I need to decommission the physical DC server and move the CA; not necessarily in that order. I do not want to keep the name of the Server active necessarily. Most of what I am seeing suggests that there is going to be some period of time where this is no CA on the network. Secondly, if the server name changes then I understand the certificate services may not work correctly. If I remove the role from the source CA why can't I just deploy a new server, with the new CA role and abandon the old cert databases?
    Thursday, November 14, 2013 12:08 AM

Answers

  • See the link which Vadims provided. I just summarized that link at PHASE2.

    PHASE1

    1. MOVE FSMO.

    2. Update the DHCP scope.

    PHASE2 (Summary)

    1.Back up the CA templates list (required only for enterprise CAs).
    2.Record the CA's CSP and signature algorithm
    3. Publish a CRL with an extended validity period.
    4. Backing up a CA database and private key    
    5. Backing up CA registry settings    
    6. Backing up CAPolicy.inf    
    7. Removing the CA role service from the source server    
    8. Removing the source server from the domain    
    9. Joining the destination server to the domain    
    10. Adding the CA role service to the destination server    
    11. Restoring the CA database and configuration on the destination server    
    12. Restoring the source CA registry settings on the destination server (Required some modification before importing)    
    13. Restoring the certificate templates list    
    14. Granting permissions on AIA and CDP containers    
    15. Verifying certificate extensions on the destination CA    
    16. Verifying certificate enrollment    
    17. Verifying CRL publishing
    18. Retrieving certificates after a host name change
    19. Restoring Active Directory Certificate Services (AD CS) to the source server in the event of migration failure
    20. Impact of migration

    Impact of migration on the source server
    The CA migration procedures described in this guide include decommissioning the source server after migration is completed and CA functionality on the destination server has been verified. If the source server is not decommissioned, then the source server and destination server must have different names. Additional steps are required to update the CA configuration on the destination server if the name of the destination server is different from the name of the source server.
    Impact of migration on other computers in the enterprise
    During migration, the CA cannot issue certificates or publish CRLs.
    To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration.
    Because the authority identification access and CRL distribution point extensions of previously issued certificates may reference the name of the source CA, it is important to either continue to publish CA certificates and CRLs to the same location or provide a redirection solution. For an example of configuring IIS redirection, see Redirecting Web Sites in IIS 6.0 (http://go.microsoft.com/fwlink/?LinkID=179366).


    21. Known issue

    We should not remove CDP entry in Active Directory. Moreover, when we changed CA host name (or migration) we must explicitly specify old CA host name in the CDP extension configuration (in certsrv.msc). This is because existing certificates will point to a previous CDP reference. Therefore, we must explicitly set previous CA host name so CA will be able to update CRLs in the original location.


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Thursday, November 14, 2013 7:49 AM
  • 1.Building a SUB CA does not required anything.

    2. You CANT DEMOTE that DC without removing the CA role.

    3. CA migration can be easy if you plan properly for CDP & AIA repository migration.

    (CDP & AIA location is hard coded in SUB CA (.CRT) location certenroll folder so after demoting the CA you can create a ALIAS name in DNS of the OLD server for getting the AIA & CDP location. There is some bug on IIS 7 so install windows resource kit on any existing 2003 server for checking the PKIVIEW.msc . There you can see the exact status of AIA, CDP & Delta CRLs).

    In addition root CA should not be a issuing CA & make sure SUB CA should be a issueing CA. Publishing the CDP/AIA should be done on SUB CA. Root CA migration required 2 hr. downtime minimum so I have mentioned " Publish a CRL with an extended validity period." at my previous post.

    Test the migration in a test lab & feel what is the exact issue. Post us accordingly  will try to help.

    _____________________________

    If you migrate Root CA server. Need to modify the below regkeys.

    CAServerName (in Root CA)

    parentCAmachine (In SubCAs)

    Above step does not required if the servers name are same.

    -Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin






    Saturday, November 16, 2013 10:57 AM

All replies

  • See the link which Vadims provided. I just summarized that link at PHASE2.

    PHASE1

    1. MOVE FSMO.

    2. Update the DHCP scope.

    PHASE2 (Summary)

    1.Back up the CA templates list (required only for enterprise CAs).
    2.Record the CA's CSP and signature algorithm
    3. Publish a CRL with an extended validity period.
    4. Backing up a CA database and private key    
    5. Backing up CA registry settings    
    6. Backing up CAPolicy.inf    
    7. Removing the CA role service from the source server    
    8. Removing the source server from the domain    
    9. Joining the destination server to the domain    
    10. Adding the CA role service to the destination server    
    11. Restoring the CA database and configuration on the destination server    
    12. Restoring the source CA registry settings on the destination server (Required some modification before importing)    
    13. Restoring the certificate templates list    
    14. Granting permissions on AIA and CDP containers    
    15. Verifying certificate extensions on the destination CA    
    16. Verifying certificate enrollment    
    17. Verifying CRL publishing
    18. Retrieving certificates after a host name change
    19. Restoring Active Directory Certificate Services (AD CS) to the source server in the event of migration failure
    20. Impact of migration

    Impact of migration on the source server
    The CA migration procedures described in this guide include decommissioning the source server after migration is completed and CA functionality on the destination server has been verified. If the source server is not decommissioned, then the source server and destination server must have different names. Additional steps are required to update the CA configuration on the destination server if the name of the destination server is different from the name of the source server.
    Impact of migration on other computers in the enterprise
    During migration, the CA cannot issue certificates or publish CRLs.
    To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration.
    Because the authority identification access and CRL distribution point extensions of previously issued certificates may reference the name of the source CA, it is important to either continue to publish CA certificates and CRLs to the same location or provide a redirection solution. For an example of configuring IIS redirection, see Redirecting Web Sites in IIS 6.0 (http://go.microsoft.com/fwlink/?LinkID=179366).


    21. Known issue

    We should not remove CDP entry in Active Directory. Moreover, when we changed CA host name (or migration) we must explicitly specify old CA host name in the CDP extension configuration (in certsrv.msc). This is because existing certificates will point to a previous CDP reference. Therefore, we must explicitly set previous CA host name so CA will be able to update CRLs in the original location.


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Thursday, November 14, 2013 7:49 AM
  • Thanks for the detailed reply. I have a followup question. It may be that we can retain the physical hardware and server name as the CA. In this case, We are attempting to protect against hardware failure as part of routine equipment replacement cycles. We are trying to protect the DC and the move of the cert services is a related annoyance. So, If I keep the cert server on the same physical box  how does the procedure differ? For example, after running dcpromo to remove the AD Role, will it still be necessary to remove and rejoin the computer to the domain. Or, will Cert services still function correctly once the DC has been demoted.

    Thanks,

    Thursday, November 14, 2013 5:52 PM
  • In this case you just demote DC from the server and no changes are necessary there. Make sure if there are additional DCs. If you have, then current server will become a member server in the current domain.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Thursday, November 14, 2013 6:07 PM
  • If CA & DC in a same box. You need to uninstall the CA role first then you are able demote the DC.

    -Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Friday, November 15, 2013 3:33 AM
  • Thankyou for your response. If I remove the CA role, then for some period of time I will not have a root CA in the domain. I do have a server set up as a subordinate. If I remove the Root CA, I am assuming I must immediately re-install it on the member server after insuring that existing certs have a reasonable expiration period. IN any cae, I have read conflicting instructions on this procedure. Some have suggested that the former DC must be removed from the domain entirely, then rejoined as a member server along with the new CA role..followed by restoration of the CA data. As you can see above, it has been suggested that I can simply demote the server without doing anything. I do believe it will be necessary to remove the CA role. I am wondering how this operation will impact my subordinate CA and if I must disjoin the computer from the domain prior to re-adding the CA role and restoring the DB. 

    Thanks for you insights and patience.

    Friday, November 15, 2013 10:16 PM
  • 1.Building a SUB CA does not required anything.

    2. You CANT DEMOTE that DC without removing the CA role.

    3. CA migration can be easy if you plan properly for CDP & AIA repository migration.

    (CDP & AIA location is hard coded in SUB CA (.CRT) location certenroll folder so after demoting the CA you can create a ALIAS name in DNS of the OLD server for getting the AIA & CDP location. There is some bug on IIS 7 so install windows resource kit on any existing 2003 server for checking the PKIVIEW.msc . There you can see the exact status of AIA, CDP & Delta CRLs).

    In addition root CA should not be a issuing CA & make sure SUB CA should be a issueing CA. Publishing the CDP/AIA should be done on SUB CA. Root CA migration required 2 hr. downtime minimum so I have mentioned " Publish a CRL with an extended validity period." at my previous post.

    Test the migration in a test lab & feel what is the exact issue. Post us accordingly  will try to help.

    _____________________________

    If you migrate Root CA server. Need to modify the below regkeys.

    CAServerName (in Root CA)

    parentCAmachine (In SubCAs)

    Above step does not required if the servers name are same.

    -Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin






    Saturday, November 16, 2013 10:57 AM
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Regards, Yan Li

    Monday, November 18, 2013 6:56 AM
  • Yes, these suggestions are very valuable to me. We are not ready to perform the migration yet but I am going to retain all of the comments here and use them as a tutorial of sorts. 
    Monday, November 18, 2013 8:35 PM
  • Thanks to here that you got necessary informations from us.

    -Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Tuesday, November 19, 2013 5:46 AM