none
migration from 2003 root standalone CA to enterprise 2008 R2 CA RRS feed

  • Question

  • Hi all i have couple of problem after migration from windows 2003 sp2 to 2008 r2. Im following guide http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx and I have problem with issuing cetificate from mmc console also enrollment not working with specified templates, didnt seeing templates in console and finally cannot add more ca role services if i need. But i can issue certificate via web enrolment.

     I'm changing type of ca from standalone root 2003 to enterprise root 2008r2 and also migrating to new box with different hostname. On old CA is about 5 valid certificate so i think i dont need configure CRL for old server.

    This event happend when i was restore ca config registry from old box 

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          2. 3. 2010 10:05:55
    Event ID:      53
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      CA.xxxxx.xx
    Description:
    Active Directory Certificate Services denied request 205 because The request subject name is invalid or too long. 0x80094001 (-2146877439).  The request was for SUSR\dss.  Additional information: Error Constructing or Publishing Certificate
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="33370">53</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-03-02T09:05:55.000000000Z" />
        <EventRecordID>348</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>CA.xxxxxxx.xx</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
        <Data Name="RequestId">205</Data>
        <Data Name="Reason">The request subject name is invalid or too long. 0x80094001 (-2146877439)</Data>
        <Data Name="SubjectName">SUSR\dss</Data>
        <Data Name="AdditionalInformation">Error Constructing or Publishing Certificate</Data>
      </EventData>
    </Event>

    I do litle investigation in lab with registry setting, so when I do not restore registry from old server everything is working fine, templates working, i see templates in console, also i can issue certificates from tepmlates with mmc console, can add role services.

    The question is, can i leave new CA without restoring old ca config registry from source server?

    Tuesday, March 2, 2010 9:44 AM

All replies

  • I would not recommend to move Root CA from Standalone to Enterprise CA due of security reasons. Enterprise CA requires to be always online and connected to the network (in certain cases it is possible to turn off domain computer for a long time, but still not recommended) and is more affected by remote attacks than isolated standalone CA that don't require network connection.
    http://www.sysadmins.lv
    Tuesday, March 2, 2010 10:08 AM
  • So you recomned to create new standalone root based on 2008 R2 and if we were plan to use autoenrolment and smart card and another automatic feature intergrated in AD, we will deploy enterprise subordinate CA.? 
    Tuesday, March 2, 2010 11:07 AM
  • Yes, this would be better solution.
    http://www.sysadmins.lv
    Tuesday, March 2, 2010 11:42 AM
  • and what do you think about my problem i posted above, i have almost the same problem when i was migrate to standalone ca in lab after registry restore I was cannot add role services. Can i leave registry untouch ? 
    Tuesday, March 2, 2010 11:52 AM
  • I believe that a problem is with slash sign in subject name. As far as I understand this character is not allowed in the subject. When you perform CA migration registry MUST be restored at the last spet. In general restoration should be performed as follows:
    1) on new server install AD CS role.
    2) during installation import existing CA key pair (MUST be backed up on previous CA installation)
    3) restore CA databse
    4) import registry.
    http://www.sysadmins.lv
    Tuesday, March 2, 2010 2:00 PM
  • The problem is that you are changing the hostname
    You must maintain the NetBIOS name and the domain name between the two servers when you are migrating
    As the wizard told you when you first installed, you NetBIOS name or the DNS name after installation
    Brian
    Tuesday, March 2, 2010 2:07 PM
  • > You must maintain the NetBIOS name and the domain name between the two servers when you are migrating

    why?
    http://www.sysadmins.lv
    Tuesday, March 2, 2010 2:20 PM
  • Because this is the official line from Microsoft.
    Contact me offline, Vadims <G>
    Brian
    Tuesday, March 2, 2010 2:22 PM
  • ok. I'm really interesting in this.
    http://www.sysadmins.lv
    Tuesday, March 2, 2010 2:39 PM
  • I believe that a problem is with slash sign in subject name. As far as I understand this character is not allowed in the subject. When you perform CA migration registry MUST be restored at the last spet. In general restoration should be performed as follows:
    1) on new server install AD CS role.
    2) during installation import existing CA key pair (MUST be backed up on previous CA installation)
    3) restore CA databse
    4) import registry.
    http://www.sysadmins.lv
    hi I was exactly follow this order and it doesnt work. I wil try to not restore registry and manually rename hostname in registry. 
    Tuesday, March 2, 2010 3:47 PM
  • try this command from the Command Prompt and let us know
    certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
    - Saakar
    Wednesday, March 10, 2010 10:20 AM