Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Impact of removing only CA
Impact of removing only CA [message #159007] Wed, 22 July 2009 16:19 Go to next message
Chris  is currently offline Chris
Messages: 343
Registered: July 2009
Senior Member
I currently have my CA installed on my Windows 2003 x86 Domain Controller. I
want to migrate my current DC to new hardware running Windows 2008 x64. At
the same time I want to migrate my CA to a different server with Windows 2008
x64. We are not concerned with any certificates that we’ve manually issued
for internal websites. We haven’t done much/any manual certificate
publishing. But, we are concerned about clients that may have auto-enrolled
with certificates.

If we remove the CA and all certs residing on our current DC and then build
a new CA server with a different name and “start over” with certificate
services – should we be concerned about clients experiencing issues? I
noticed that several EFS certificates show up as being published in the
console, what happens for the users using those certificates?
Re: Impact of removing only CA [message #159009 is a reply to message #159007] Wed, 22 July 2009 16:26 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
Read this
http://www.microsoft.com/downloads/details.aspx?FamilyID=C70 BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=en

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Chris" <Chris@discussions.microsoft.com> wrote in message
news:1A850FDB-F48A-461D-A5E1-4AE4BA876096@microsoft.com...
>I currently have my CA installed on my Windows 2003 x86 Domain Controller.
>I
> want to migrate my current DC to new hardware running Windows 2008 x64.
> At
> the same time I want to migrate my CA to a different server with Windows
> 2008
> x64. We are not concerned with any certificates that we’ve manually
> issued
> for internal websites. We haven’t done much/any manual certificate
> publishing. But, we are concerned about clients that may have
> auto-enrolled
> with certificates.
>
> If we remove the CA and all certs residing on our current DC and then
> build
> a new CA server with a different name and “start over” with certificate
> services – should we be concerned about clients experiencing issues? I
> noticed that several EFS certificates show up as being published in the
> console, what happens for the users using those certificates?
Re: Impact of removing only CA [message #159013 is a reply to message #159009] Wed, 22 July 2009 17:21 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Now that Windows 7 and Windows 2008 R2 are RTM’d you may want to move to R2
:)
http://eniackb.blogspot.com/2009/07/finally-windows-7-client -and-windows.html

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:EC61261C-4180-4379-9589-BDD26ECDACE4@microsoft.com...
> Hi
> Read this
> http://www.microsoft.com/downloads/details.aspx?FamilyID=C70 BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=en
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Chris" <Chris@discussions.microsoft.com> wrote in message
> news:1A850FDB-F48A-461D-A5E1-4AE4BA876096@microsoft.com...
>>I currently have my CA installed on my Windows 2003 x86 Domain Controller.
>>I
>> want to migrate my current DC to new hardware running Windows 2008 x64.
>> At
>> the same time I want to migrate my CA to a different server with Windows
>> 2008
>> x64. We are not concerned with any certificates that we’ve manually
>> issued
>> for internal websites. We haven’t done much/any manual certificate
>> publishing. But, we are concerned about clients that may have
>> auto-enrolled
>> with certificates.
>>
>> If we remove the CA and all certs residing on our current DC and then
>> build
>> a new CA server with a different name and “start over” with certificate
>> services – should we be concerned about clients experiencing issues? I
>> noticed that several EFS certificates show up as being published in the
>> console, what happens for the users using those certificates?
>
Re: Impact of removing only CA [message #159019 is a reply to message #159009] Wed, 22 July 2009 17:56 Go to previous messageGo to next message
Chris  is currently offline Chris
Messages: 343
Registered: July 2009
Senior Member
I did read through the online version of that document. I see that you can
migrate (keeping the CA name). But it doesn't discuss removing the old CA
entirely and what the impact would be. I also did not see any info about
transitiioning to an entirely new server with a new CA name. Let me know if
you think I missed something.

Chris

"Jorge Silva" wrote:

> Hi
> Read this
> http://www.microsoft.com/downloads/details.aspx?FamilyID=C70 BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=en
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Chris" <Chris@discussions.microsoft.com> wrote in message
> news:1A850FDB-F48A-461D-A5E1-4AE4BA876096@microsoft.com...
> >I currently have my CA installed on my Windows 2003 x86 Domain Controller.
> >I
> > want to migrate my current DC to new hardware running Windows 2008 x64.
> > At
> > the same time I want to migrate my CA to a different server with Windows
> > 2008
> > x64. We are not concerned with any certificates that we’ve manually
> > issued
> > for internal websites. We haven’t done much/any manual certificate
> > publishing. But, we are concerned about clients that may have
> > auto-enrolled
> > with certificates.
> >
> > If we remove the CA and all certs residing on our current DC and then
> > build
> > a new CA server with a different name and “start over” with certificate
> > services – should we be concerned about clients experiencing issues? I
> > noticed that several EFS certificates show up as being published in the
> > console, what happens for the users using those certificates?
>
RE: Impact of removing only CA [message #159022 is a reply to message #159007] Wed, 22 July 2009 18:11 Go to previous messageGo to next message
Anderson Lacruz  is currently offline Anderson Lacruz
Messages: 15
Registered: July 2009
Junior Member
Hi Chris

I understand your concern. If you are not sure, you can check you default
domain policy to verify if your are using certificates with your clients
previously. Another option is to stop the Certificate service in the CA or
server with the role. You can backup the database if you want with certutil
command.

When you stop the certificate service you can evaluate the impact for a
while in case you want to rollback the change before decommission the CA.
After that you can continue with the creation of another CA or migrate the CA.

I attach a link in case you want to decommission your CA
http://support.microsoft.com/kb/555151

I hope it can help you
Regards
Anderson Lacruz

"Chris" wrote:

> I currently have my CA installed on my Windows 2003 x86 Domain Controller. I
> want to migrate my current DC to new hardware running Windows 2008 x64. At
> the same time I want to migrate my CA to a different server with Windows 2008
> x64. We are not concerned with any certificates that we’ve manually issued
> for internal websites. We haven’t done much/any manual certificate
> publishing. But, we are concerned about clients that may have auto-enrolled
> with certificates.
>
> If we remove the CA and all certs residing on our current DC and then build
> a new CA server with a different name and “start over” with certificate
> services – should we be concerned about clients experiencing issues? I
> noticed that several EFS certificates show up as being published in the
> console, what happens for the users using those certificates?
Re: Impact of removing only CA [message #159023 is a reply to message #159019] Wed, 22 July 2009 18:27 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
- Okay, first of all, is your policy alllowing EFS? Do you have KRAs
defined?
- EFS can be problematic... There is no back door into EFS; if you lose the
key(s) to it, you lose your data unless you've KRAs.
- If you remove the old CA the certs will stop working in their expire date.
Some problems or errors that you migh see are related with CRLs and AIA. If
you remove the public CA key from trusted root CAs the certs will not be
trusted and will stop working as well.
- Removing a CA from a domain is something that you may need to consider
carefuly before proceed.
- The additional options are: Migrate the CA to a new server (if possible a
dedicated server that is not a DC), then stop issuing certs untill the
expiration date comes, by doing that you'll have a CA to get those certs if
needed and if you've a KRA defined.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Chris" <Chris@discussions.microsoft.com> wrote in message
news:B8AE095B-F576-420B-A11E-08AD70D57443@microsoft.com...
>I did read through the online version of that document. I see that you can
> migrate (keeping the CA name). But it doesn't discuss removing the old CA
> entirely and what the impact would be. I also did not see any info about
> transitiioning to an entirely new server with a new CA name. Let me know
> if
> you think I missed something.
>
> Chris
>
> "Jorge Silva" wrote:
>
>> Hi
>> Read this
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=C70 BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=en
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Chris" <Chris@discussions.microsoft.com> wrote in message
>> news:1A850FDB-F48A-461D-A5E1-4AE4BA876096@microsoft.com...
>> >I currently have my CA installed on my Windows 2003 x86 Domain
>> >Controller.
>> >I
>> > want to migrate my current DC to new hardware running Windows 2008 x64.
>> > At
>> > the same time I want to migrate my CA to a different server with
>> > Windows
>> > 2008
>> > x64. We are not concerned with any certificates that we’ve manually
>> > issued
>> > for internal websites. We haven’t done much/any manual certificate
>> > publishing. But, we are concerned about clients that may have
>> > auto-enrolled
>> > with certificates.
>> >
>> > If we remove the CA and all certs residing on our current DC and then
>> > build
>> > a new CA server with a different name and “start over” with certificate
>> > services – should we be concerned about clients experiencing issues? I
>> > noticed that several EFS certificates show up as being published in the
>> > console, what happens for the users using those certificates?
>>
Previous Topic:New WiFi GPT for Windows 2003 - [WP]
Next Topic:Computers Container is empty
Goto Forum:
  


Current Time: Wed Oct 18 01:37:19 EDT 2017

Total time taken to generate the page: 0.03980 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software