Prev: Win 2008 Standard
Next: partition wizard
From: PA Bear [MS MVP] on 26 May 2010 01:34
[Forwarded to microsoft.public.windows.server.general via crosspost]

Putyaning Handoko wrote:
> Dear All,
>
> I want to move the CA enterprise to another server, because the current CA
> server as domain controller and this server have a problem so we will plan
> to move the CA enterprise function to another domain controller.
> Could you share the best practise to move the CA enterprise in domain
> controller?
>
> Thanks & Regards,
> Putyaning

From: Trust No One� on 4 Jun 2010 09:11

"Putyaning Handoko" <putyaning.handoko(a)firstmedia.com> wrote in message
news:%231C8w1I$KHA.3840(a)TK2MSFTNGP02.phx.gbl...
> Dear All,
>
> I want to move the CA enterprise to another server, because the current CA
> server as domain controller and this server have a problem so we will plan
> to move the CA enterprise function to another domain controller.
> Could you share the best practise to move the CA enterprise in domain
> controller?
>
There is a KB article that deals with the move of Microsoft CAs to new
hardware.

http://support.microsoft.com/kb/298138

I've used this process a couple of times in the past to cater for hardware
upgrades.

Basically you

Backup the CA database and keys and the certificate services registry hive.
Remove certificate services from the old domain controller
Decommission the old domain controller (or rename it)
Build a new domain controller (or rename an existing one) so that it has the
same name as the old domain controller.
Reinstall certificate services on the new domain controller using the
previously saved keys.
Restore the CA database and re-import the previously saved registry hive

Note it is not possible to move the CA to a domain controller with a
different name - the name has to be the same as the old domain controller. I
believe (speaking under correction) that this limitation has changed with
Windows Server 2008. It definitely applies to W2K and W2K3 though.

Finally note that if you have a multi-domain forest that you will need to
repopulate the membership of the CERTSVC_DCOM_ACCESS group to cater for
domains other than that in which the CA is hosted. If you miss this step you
may get autoenrollment errors in these domains. It is probably best to
document the membership of this group before you move the CA.

If you do change the membership of the CERTSVC_DCOM_ACCESS group you should
run the following commands on the domain controller hosting the CA:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

Hope this helps:

--
Peter <X-Files fan>


 | 
Pages: 1
Prev: Win 2008 Standard
Next: partition wizard