Remove From My Forums

Windows Server 2008 R2 move certificate authority to the Windows 2019

Question
0

Sign in to vote

Hi again,

I have at the time my certificate authority on the Windows 2008 R2 Server and want o to move to the WK 2019 DC. Can I have two certificate authority at the same time on different DCs?

Is that pssible? What will happend if I have two certificate authority at the same time?

Regards

Nick

Friday, July 17, 2020 7:02 AM

Answers

0

Sign in to vote
Hi,

As said above, it is not recommend to install the Ca roles in the DCs, of course you can do these if you want have additional servers.And there can be multiple Issuing CA’s that are subordinate to the Root CA.

And you are right,a domain controller cannot be removed from a host on which the CA is installed. Therefore, to remove the domain controller, the CA must first be uninstalled from the original host.

For more steps ,you can refer to the following link:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN

Best Regards,
Fan

Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
- Marked as answer by mpng2008 Tuesday, July 21, 2020 6:33 AM
Monday, July 20, 2020 11:47 PM

All replies

0

Sign in to vote

Hi,

Based on my research, if it is A single tier Hierarchy,it consists of one CA. The single CA is both a Root CA and an Issuing CA.

In a 2 tier or three tier PKI,there can be multiple Issuing CA’s that are subordinate to the Root CA.

For your reference: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953

And it is recommended to install the CA role on a member server not a DC.
Best Regards,
Fan

Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Monday, July 20, 2020 6:37 AM
0

Sign in to vote

Hi,

Thanks for your replay. If I understand you correct, I can have at the same time two certificate authority

on the two DCs? Am I right?

It is only for 2 hours until I transfers all FSMOs from WK 2008 R2 server to the WK 2019 Server. If I want to demote the WK 2008 R2, it says me I have to uninstall certificate authority role

Is that correct so?

Regards

Monday, July 20, 2020 10:35 AM
0

Sign in to vote
Hi,

As said above, it is not recommend to install the Ca roles in the DCs, of course you can do these if you want have additional servers.And there can be multiple Issuing CA’s that are subordinate to the Root CA.

And you are right,a domain controller cannot be removed from a host on which the CA is installed. Therefore, to remove the domain controller, the CA must first be uninstalled from the original host.

For more steps ,you can refer to the following link:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN

Best Regards,
Fan

Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
- Marked as answer by mpng2008 Tuesday, July 21, 2020 6:33 AM
Monday, July 20, 2020 11:47 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Windows Server 2008 R2 move certificate authority to the Windows 2019

Question

Answers

All replies