none
Can we migrate Windows 2003 CA to windows 2008 R2 server? RRS feed

  • Question

  • Hi all,

    I am working on migrating our Windows 2003 root enterprise CA to our Windows 2008 R2 server.

    based on this: http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx

    But, in the end of this article, there is note which states:

    ------------------------------------------

    x86 to x64: conflicting information Edit

    Based on this document, x86 to x64 is a migration, assimilated to a hardware change.
    But based on this KB (http://support.microsoft.com/kb/298138/en-us) x86 to x64 restore is NOT possible.

    "Database format changes from the 32-bit version to the 64-bit version cause incompatibilities, and the restore is blocked. This is similar to the move from Windows 2000 to the Windows Server 2003 CA. However, there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database."

    --------------------------

    So, can we use the method in the article mentioned (backup, restore etc) to migrate windows 2003 root enterprise CA to windows 2008 R2 server?

    Can anyone share?

    Thank you for your help.

    Tuesday, March 6, 2012 5:28 PM

Answers

All replies

  • Mentioned KB is related to Windows 2000 -> Windows Server 2003 migration and is not applied for newer systems. You can migrate Windows Server 2003 (x86) CA to Windows Server 2008 R2 (x64)-based CA without any questions.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by Bruce-Liu Wednesday, March 21, 2012 1:58 AM
    Tuesday, March 6, 2012 5:43 PM
  • Hi Vadims,

    Thanks for your reply and also, we have different name for windows 2008 server which is different from windows 2003 server. I checked my CAname which is my windows 2003 server name. So I should not change it through registry key mentioned below?

    Thank you.

    -------------

    To analyze the registry file

    1. Right-click the .reg file created by exporting the settings from the source CA.

    2. Click Edit to open the file in a text editor.

    3. If the target CA's computer name is different from the source CA's computer name, search the file for the host name of the source CA computer. For each instance of the host name found, ensure that it is the appropriate value for the target environment. Change the host name, if necessary. Update the CAServerName value.

      ImportantImportant
      If the host name is located in the .reg file as part of the CA name, such as in the Active value within the Configuration key or the CommonName value within the CAName key, do not change the setting. The CA name must not be changed as part of the migration. This means the new target CA must have the old CA's name, even if part of that name is the old CA's host name.
    Tuesday, March 6, 2012 6:03 PM
  • Are you telling about host name, or CA name? You cannot change CA name without decomissioning old CA and building new CA from scratch.

    It is possible to change CA server host name. Here is a note about what should be changed: http://technet.microsoft.com/en-us/library/cc742471(WS.10).aspx, see "Updating CRL Distribution Point and Authority Information Access Extensions" section.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by Bruce-Liu Wednesday, March 21, 2012 1:58 AM
    Tuesday, March 6, 2012 6:43 PM
  • Wednesday, March 7, 2012 3:12 PM
  • Hi Vadims,

    Thanks for your great help and I can not change common name, right?

    What about certificate templates?  If I open CA snap-in-->click certificate templates, I got the following certificate templates in the list (see the first image)

    If I right-click certificate templates -->choose manage in the CA snap-in, I got the following certifcate templates which are allowed "Autoenrollment", (see the second image)

    Are these "Autoenrollment" allowed certificte templates in use?  We have Windows 2003 R2 standard root and enterprise CA.  But, these "Autoenrollment" allowed certificte templates support Windows 2003 server, Enterprise Edition?????

    Thank you for your help.

    Wednesday, March 7, 2012 3:14 PM
  • I recently went through a Windows Server 2003 > Windows Server 2008 R2 migration.  I found it easier not to export the registry settings but to put the required one back in place after the CA was moved to new servers.  But that is totally up to you.  I wanted to make sure that settings that did not apply to Windows Server 2008 CA's were not applied.  FYI, I did change the name of the hosts the CA was on.  It is only the CA Name that cannot be changed (EVER).

    Certificate templates merely state the version of Windows required in order to use them.  Windows 2000 supports on v1 templates.  Windows Server 2003 supports v1 and v2 templates.  Windows Server 2008 supports v1,v2 and v3 templates.

    Wednesday, March 7, 2012 5:54 PM
  • Hi Vadims,

    Thanks for your great help and I can not change common name, right?

    What about certificate templates?  If I open CA snap-in-->click certificate templates, I got the following certificate templates in the list (see the first image)

    If I right-click certificate templates -->choose manage in the CA snap-in, I got the following certifcate templates which are allowed "Autoenrollment", (see the second image)

    Are these "Autoenrollment" allowed certificte templates in use?  We have Windows 2003 R2 standard root and enterprise CA.  But, these "Autoenrollment" allowed certificte templates support Windows 2003 server, Enterprise Edition?????

    Thank you for your help.


    Autoenrollment flag determines whether the autoenrollment can automatically distribute certificates to clients based on particular template. Windows Server 2003 (all editions and all service packs) do not support autoenrollment functionality (server side). What you see (Windows Server 2003 Enterprise Edition) is the minimum supported CA. These templates are supported by Windows Server 2003/2008 Enterprise, Datacenter editions and Windows Server 2008 R2 all editions (except Web Edition).

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, March 7, 2012 6:12 PM
  • Hi Vadirms,

    Great info and from the technet http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx

    So, the first image is the certificate templates assigned.

    What about the second image in the above post, I remember the certificate templates (wireless)were set up to be used for our secured wireless access. 

    Can we know which certificate tempaltes are in use by us?

    Thank you for your help.

    ----

    To list the certificate templates for an enterprise CA by using the Certification Authority snap-in

    1. Log on with local administrator permissions to the CA computer.

    2. Open the Certification Authority snap-in.

      f21c857d-77d6-4596-b695-96df297a9665
    3. In the console tree, click Certificate Templates.

      The assigned certificate templates appear in the details pane.

    Wednesday, March 7, 2012 7:20 PM
  • > Can we know which certificate tempaltes are in use by us?

    obviously those that are assigned to CA. But you can look at CA database (Issued Certificates folder) to get template names in use. If there are too many issued certificates, you can use PowerShell and my PowerShell PKI module (http://pspki.codeplex.com/). The following command will display all certificate templates that was used at least once:

    Get-CertificationAuthority <CAHostName> | Get-IssuedRequest -property certificatetemplate | select -unique certificatetemplate

    just replace <CAHostName> with actual value (FQDN. Wildcards are supported).


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, March 7, 2012 7:37 PM
  • Hi Vadims,

    I tried to run the powershell and I got the following result:

    Thank you!

    ----------------------------

    The term 'Get-CertificationAuthority' is not recognized as the name of a cmdlet, function, script file, or operable pro
    gram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:27
    + Get-CertificationAuthority <<<<  CAname1 | Get-IssuedRequest -property certificatetemplate | select -unique certifi
    catetemplate
        + CategoryInfo          : ObjectNotFound: (Get-CertificationAuthority:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

     

    Wednesday, March 7, 2012 10:18 PM
  • Have you installed the module? Also you need to import the module to the session by running 'Import-Module PKI' command. Only then module commands will be available.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Thursday, March 8, 2012 6:15 AM
  • Hi Vadims,

    Now, I have time to work on this again. 

    I installed http://pspki.codeplex.com/releases/view/79921
    Still, I can not run that command.

    Do I need to install http://pspki.codeplex.com/releases/view/79921?
    This is windows 2003 server DC and install powershell v2 on the
    server.

    Where should I lanuch Get-CertificationAuthority? from powershell v2?

    Thank you.

    Wednesday, March 28, 2012 8:11 PM
  • You need to import the module into your PowerShell session by running: Import-Module PKI

    For details about importing the module see documentation page: http://pspki.codeplex.com/documentation


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Thursday, March 29, 2012 5:08 AM
  • Hi Vadims,

    Thank you for your help and it worked now.

    I just found out one template (CA Exchange) which is not shown in the MMC via powershell.

    CertificateTemplate
    -------------------
    DomainController
    User
    CAExchange
    EFS
    EFSRecovery

    To list the certificate templates for an enterprise CA by using the Certification Authority snap-in

    We just need to set up wireless via Radius server(authentication methos is PEAP or EAP)

    Do you know which templates we should have?

    Thank you very much for your help.

    Thursday, March 29, 2012 4:05 PM
  • Probably I misread your initial question. My thougth was that you need to get the list of all certificate templates that was ever used by the CA to issue certificate. If you need to know which certificate templates are assigned to the CA, you need to run another command:

    Get-CertificationAuthority | Get-CATemplate

    This command returns the list of all templates in the Templates property. To expand view, you can do this:

    Get-CertificationAuthority -computer ca.domain.com | Get-CATemplate | Select -Expand Templates


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki


    Thursday, March 29, 2012 6:00 PM
  • Hi Vadims,

    >Probably I misread your initial question. My thougth was that you need to get the list of all >certificate templates that was ever used by the CA to issue certificate.

    That's what I want and you did not misread my question.

    Is there a way to find out what  "duplicated template" was duplicate on which initial tempalte?

    Thank you.

    Thursday, March 29, 2012 7:40 PM
  • Ok. CA Exchange template is not listed there because CA do not use AD template to generate CA Exchange certificate. Instead, it uses built-in configuration for these certificates.

    > Is there a way to find out what  "duplicated template" was duplicate on which initial tempalte?

    nearly impossible. Though, it is possible to get certificate template properties (like Extensions, Subject, Request Handling tabs) and compare with other templates. Or original template was superseded (in the Superseded Templates tab). Also you can to play with template versions, but it does not guarantee anything.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Thursday, March 29, 2012 7:53 PM
  • Hi Vadims,

    Thank you for your continuing support.

    So, from MMC,  I can get the certificate templates that are in use.

    As in the previous post, I saw several templates in the Manage if I right-click the certificate templates in MMC. (see the below image) and the previous admin set up RADIUS for wireless (EAP or PEAP authentication)

    I saw mycompany Wireless and RAS and IAS server templates which are duplicated.

    From what I understand now, these templates are not in use and I should not worry about these.  Right?

    Thank you for your help.

    Friday, March 30, 2012 8:08 PM
  • > From what I understand now, these templates are not in use and I should not worry about these.  Right?

    looks like yes.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Saturday, March 31, 2012 7:31 AM