![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
1,922 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello @LRL ,
Thank you for posting here.
Based on the description above, I understand you have one-tier CA, domain-joined Enterprise CA server.
Here are the answers for your references.
Q1. What considerations will I need to keep in mind now that the service is running on a new server and hostname?
A1: Considerations for migrating a CA to a new machine:
- When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.
- By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.
- During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.
Q2. How will the previously issued certificates be handled as the CRL Distribution Points and the Authority Information Access information entries point to the old hostname?
A2: By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.
Q3. Do I need to rename the new server to match the previous hostname?
A3: When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.
Q4. which recommends using the same name.
A4: Baesd on my experience, if we migrate CA to a new machine with the same hostname.
First we need to backup all CA information mentioned in the link you provided.
Then remove the old 2008 R2 CA machine from the domain, then add new 2016 server to domain and restore CA information to new 2016 machine.
Because there cannot be more than one machines with the same computer name in the same domain.
References
AD CS Migration: Migrating the Certification Authority
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA
Performing the Upgrade or Migration
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou