M
Michael Baird
I have to replace my Root CA machine since the hardware is at end of
lease.
I found KB article 298138 at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;298138
However, something in this article doesn't quite fit. In brief the
article outlines the following procedure:
1) Backup the CA (and reg key)
2) Install certificate services on the new hardware doing Advanced
install which will allow for restoring the backup to the new machine
3) Restore the reg key
4) Verify the new hardware works
5) Delete CA Keys from the old machine (using certutil)
6) Remove Cert Services from the old machine
The note at the end of the article says the new machine and old
machine need to have the same name, but how can they? You can't have
2 computer objects in AD with the same name and you can't rename a
computer with certificate services installed on it.
Once I load certificate services on the new box I can't rename it.
I can't give it the same name as the old box unless I remove
certificate services from the old box first so that I can rename it in
(or remove it from) the domain.
I think the only way I can do this would be like this instead:
1) Backup the CA (and reg key)
2) Delete CA Keys from the old machine (using certutil)
3) Remove Cert Services from the old machine
4) Remove the old server from AD (or rename it)
5) Join the new server to AD with the same name as the old server
6) Install certificate services on the new hardware doing Advanced
install which will allow for restoring the backup to the new machine
7) Restore the reg key
8) Verify the new hardware works
The only problem with this is that it precludes testing and there
would be no way to bring the old server back in the event of
problems....
Should this article be retitled 'Catch-22'?
Am I missing something?
Comments or suggestions anyone?
lease.
I found KB article 298138 at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;298138
However, something in this article doesn't quite fit. In brief the
article outlines the following procedure:
1) Backup the CA (and reg key)
2) Install certificate services on the new hardware doing Advanced
install which will allow for restoring the backup to the new machine
3) Restore the reg key
4) Verify the new hardware works
5) Delete CA Keys from the old machine (using certutil)
6) Remove Cert Services from the old machine
The note at the end of the article says the new machine and old
machine need to have the same name, but how can they? You can't have
2 computer objects in AD with the same name and you can't rename a
computer with certificate services installed on it.
Once I load certificate services on the new box I can't rename it.
I can't give it the same name as the old box unless I remove
certificate services from the old box first so that I can rename it in
(or remove it from) the domain.
I think the only way I can do this would be like this instead:
1) Backup the CA (and reg key)
2) Delete CA Keys from the old machine (using certutil)
3) Remove Cert Services from the old machine
4) Remove the old server from AD (or rename it)
5) Join the new server to AD with the same name as the old server
6) Install certificate services on the new hardware doing Advanced
install which will allow for restoring the backup to the new machine
7) Restore the reg key
8) Verify the new hardware works
The only problem with this is that it precludes testing and there
would be no way to bring the old server back in the event of
problems....
Should this article be retitled 'Catch-22'?
Am I missing something?
Comments or suggestions anyone?