Question about CA server migration

Felix Lai 1 Reputation point
2022-03-16T08:55:15.687+00:00

Hi Sir/Madam,

I am planning to migrate my CA server to another host. But I have some questions about my situation. Would you mind giving me some suggestions about that?

Current setting:

  1. Cert server is installed on a Domain Controller now
  2. This Domain Controller is a Win 2k8 server
  3. Hostname of the server (i.e. a.abc.com)

Want to migrate to following server:

  1. It is a Domain Controller too
  2. This Domain Controller is a Win 2k12r2 server
  3. Hostname of the server (i.e. b.abc.com)

I have read the followings which are some migration guide:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)
https://learn.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2

I know that basically I need to do these steps:

  1. Backup Root CA
  2. Uninstall Root CA and Domain controller
  3. Install New Root CA server
  4. Restore the Root CA backup

What I want to ask / confirm:

  1. On my new cert server (Win 2k12r2 DC), the hostname is different with the old cert server (Win 2k8 DC), it won't affect the cert service, right?
  2. On my new cert server (Win 2k12r2 DC), the host IP is different with the old cert server (Win 2k8 DC), it won't affect the cert service, right?
  3. After following the migration step above, the only critical component to maintain the cert service is the "CA name", it must not have any changes, right?
  4. After the migration complete, is there any guide/steps/checking to confirm the CA service running well on the new server?
  5. The old cert server(Win 2k8DC) has previously issued certificates, the CRL Distribution Points / the Authority Information Access information entries point to the old hostname(i.e. a.abc.com). I read the answer from Daisy: https://learn.microsoft.com/en-us/answers/questions/315310/certificate-server-name-change.html . There are a sentence: ""This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no
    longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path."" Seem I need to set the CRL path on the new machine (Win 2k12r2), and it should be the same with the path of the old machine (Win 2k8). Would you mind giving more details about how to
    set the CRL path on the new machines?

I am new for configuring the cert server, thank you very much for your information to assist my work.

Thanks!
Best Regards,
Felix

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. cthivierge 4,056 Reputation points
    2022-03-16T13:31:45.217+00:00

    Hi,

    installing a CA Server on a DC is not recommended

    1. No, the NetBIOS name of the Windows Server that host the CA does not have to be the same. There is a modification you need to do before importing the registry file on the new sever.
    2. The IP address has nothing to do with the CA Server so no, there is no issue
    3. The CA Name will not change. If your CA Name is "My Domain RootCA", the name will be the same after the migration
    4. There is few things to validate after the migration like can you request and receive a certificate, does the AIA / CDP can be reached
    5. The CDP and AIA are critical. If you change those URL, it will only affect new certificates from now. All certificates that are in use (published by the old CA) will still need to contact the old AIA / CDP path. So make sure the old path is still valid

    Here's good references
    https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx (search for "Configure the AIA and CDP")

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

    hth

    0 comments No comments