Accedi
 
HomeLibraryRisorseFormazioneDownloadSupportoCommunityForumBlog
Risorse per professionisti IT >
Move already once migrated CA to another new server

Con risposta Move already once migrated CA to another new server

  • martedì 24 aprile 2012 01:24
     
     
    Registrati per votare
    0

    My CA has already been migrated once several years ago to 2008 R2 Domain controller. The Certifcate name is the name of the ORIGINAL server, call it EXCHANGE and it lives on a server called DOMAIN_CONTROLLER_1

    I want to move the CA to DOMAIN_CONTROLLER_2 (also 2008 r2 DC) so I can decommission the old server DOMAIN_CONTROLLER_1

    As the CA name is not DOMAIN_CONTROLLER_1, do I actually need to rename anything as part of this process? All the certs carry the name EXCHANGE

    Using: http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_ImportCACert

    as reference.

     

Tutte le risposte

  • martedì 24 aprile 2012 02:26
     
     Risposta suggerita
    Registrati per votare
    0

    You should be able to move the CA from one server to another with minimal issue as long as you do not change the name of the certificate.  This is the information that is assigned to each certificate.  If you change the name of the CA from EXCHANGE to EXCHANGE2, then you will need to reissue all of your certificates.

    We recently migrated our CA from WIN2K to WIN2K8 on two different servers with different names and kept the CA name the same i.e. it stayed as EXCHANGE.  It is all working fine.

    Please refer to the following document for more information:  http://technet.microsoft.com/en-us/library/cc742515(v=ws.10).aspx

    Hope this helps

    • Proposto come risposta Angelo AA lunedì 7 maggio 2012 01:12
    •  
     
  • martedì 24 aprile 2012 02:50
     
     
    Registrati per votare
    0
    Thanks Angelo, just to clarify - your situation had a CA name of EXCHANGE but was running from a server with name OLD_SERVER and you moved it to the server with name NEW_SERVER and kept the CA name as EXCHANGE throughout the operation?
     
  • martedì 1 maggio 2012 23:44
     
     Con risposta
    Registrati per votare
    0

    apologies for the delay.

    the answer to your question is YES.  you may change the name of the server and keep using the currently issued certificates as long as the CA name, for example, EXCHANGE, does not change.

    when you export the CA settings and database, they are not modified as it is existing data.  when you import the CA and database files, you will see that the same name is available.  You will need to modify your CRL distribution points to point to the old server once you have migrated across so that the existing certificates have a revokation and expiration point.  the above article goes into detail on how to complete this.

    • Modificato Angelo AA martedì 1 maggio 2012 23:47 more info
    • Contrassegnato come risposta healthyCamper mercoledì 9 maggio 2012 04:23
    •  
     
  • martedì 1 maggio 2012 23:57
     
     
    Registrati per votare
    0

    this technet article may also assist you

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4530c245-8873-436d-9489-502909bf2bfc

    • Contrassegnato come risposta Bruce-LiuModerator lunedì 7 maggio 2012 08:27
    • Contrassegno come risposta annullato healthyCamper mercoledì 9 maggio 2012 04:03
    •  
     
  • mercoledì 9 maggio 2012 04:01
     
     
    Registrati per votare
    0

    Finally got around to this and used a new server for the job. All seems to have transferred OK, no errors at any point, nothing in event log. Only changes I made were the "CAServerName" value in the registry key and granting the new server full permissions on the varuious AIA and CDP apths in AD/Sites and Service PKI as per MS inctructions.

    I've only just completed but testing on a PC, I can't pickup any new certs, ALL show as unavailable. This might be AD replication yet to occur or a problem. Tests below:

    certutil -getreg CA\CRLPublicationURLs

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\EXCHANGE\CRLPublicationURLs:

      CRLPublicationURLs REG_MULTI_SZ =
        0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
        CSURL_SERVERPUBLISH -- 1
        CSURL_SERVERPUBLISHDELTA -- 40 (64)

        1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
        CSURL_SERVERPUBLISH -- 1
        CSURL_ADDTOCERTCDP -- 2
        CSURL_ADDTOFRESHESTCRL -- 4
        CSURL_ADDTOCRLCDP -- 8
        CSURL_SERVERPUBLISHDELTA -- 40 (64)

        2: 0:http://%1/CertEnroll/%3%8%9.crl

        3: 0:file://%1/CertEnroll/%3%8%9.crl

    CertUtil: -getreg command completed successfully.

    certutil -getreg CA\CACertPublicationURLs

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\EXCHANGE\CACertPublicationURLs:

      CACertPublicationURLs REG_MULTI_SZ =
        0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
        CSURL_SERVERPUBLISH -- 1

        1: 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
        CSURL_SERVERPUBLISH -- 1
        CSURL_ADDTOCERTCDP -- 2

        2: 0:http://%1/CertEnroll/%1_%3%4.crt

        3: 0:file://%1/CertEnroll/%1_%3%4.crt

    CertUtil: -getreg command completed successfully.

    certutil -crl
    CertUtil: -CRL command completed successfully.

    Do I need to add a CNAME in DNS to point requests to EXCHANGE to go to my new CA?

     
  • mercoledì 9 maggio 2012 04:24
     
     
    Registrati per votare
    0
    Gave it a bit more time (and a PC reboot) and could now renew my Wireless certificate, looks pretty happy - still wondering if I need to add a CNAME though?
     
  • venerdì 11 maggio 2012 00:25
     
     
    Registrati per votare
    0

    To add a note to this that may help someone else.

    We use NPS for Wireless Authentication, based on certs and group membership. Shortly after the change above, some clients lost the ability to connect to the Wireless Access Points. All you'd see on the client was an immediate failure and error message

    Log Name:      System
    Source:        Schannel
    Date:          11/05/2012 11:14:31 a.m.
    Event ID:      36887
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      PC.MY.LAN
    Description:
    The following fatal alert was received: 49.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36887</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-05-10T23:14:31.896831100Z" />
        <EventRecordID>58232</EventRecordID>
        <Correlation />
        <Execution ProcessID="604" ThreadID="700" />
        <Channel>System</Channel>
        <Computer>PC.MY.LAN</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">49</Data>
      </EventData>
    </Event>

    Couldn't find anything useful on this error, other than a TLS access denied hint, obviously something to do with certificates. The fix that 'seems' to work is:

    Uninstall NPS from server (requires a restart).

    Remove RAS and IAS certificates (delete) from the Computer/Personal store on that device

    Re-enroll for a new RAS/IAS certificate

    Re-install and reconfigure NPS

    Seems to work again, may have only affected server runnign NPS PRIOR to the change.