Microsoft Windows Server 2008 R2 and Exchange 2010

Windows Server 2008 R2 builds on the award-winning foundation of Windows Server 2008, expanding existing technology and adding new features to enable IT professionals to increase the reliability and flexibility of their server infrastructures. New virtualization tools, Web resources, management enhancements, and exciting Windows 7 integration help save time, reduce costs, and provide a platform for a dynamic and efficiently managed data center. Powerful tools such as Internet Information Services (IIS) version 7.5, updated Server Manager and Hyper-V platforms and Windows PowerShell version 2.0 combine to give customers greater control, increased efficiency and the ability to react to front-line business needs faster than ever before......

Tuesday, September 14, 2010

Certificate Service Migration From Windows 2003 to Windows 2008R2

Certificate Service Migration 

In this Scenario assume that we will migrate our Existing CA (Windows 2003) to new server (Windows 2008R2) keeping the same name and IP address. 

So the steps in short:
  • Backup CA
  • Backup registry key for CA
  • Uninstall CA from the existing server
  • Rebuild the server with Windows server 2008 R2 with same Name and IP address
  • Install AD CS and then restore CA from the backup location
  • Restore registry key



First Step:
Use the Certificate Authority snap-in to backup the CA database and private key and to perform the backup we will follow these steps:
  • In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
  • Click Next, and then click Private Key and CA certificate.
  • Click Certificate database and certificate database log.
  • Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server .
  • Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.
  • Type and then confirm a password for the CA private key backup file.
  • Click Next, and then verify the backup settings. The following settings should be displayed:
  • Private Key and CA Certificate
  • Issued Log and Pending Requests
  • Click Finish.
Next we have to save the registry settings.  

To save the registry settings perform the following:
  • Click Start, and then Run.  In the Run field type regedit and click Ok
  • Locate and then right-click the following registry subkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration (While we are here,  take a screen shot, make sure they match up in the end)
  • Click Export
  • Save the Registry file in the CA Backup folder that was defined above
Now that we have the database, certificate and registry backed up the next step was to remove Certificate Services from the old computer. 

Remove Certificate Services from the old computer
·         Go into the Control Panel, Add/Remove Programs, Windows Components and remove the Tick from Certificate Authority. 
o   Note Be sure to remove the Certificate Authority from the old computer prior to deploying Certificate Services on the new machine .  If we deploy AD CS first the target CA will become unusable. 
·         Finally, rename the old server or permanently disconnect it from the network. 

asSecond Step :

     Deploy and restore the Certificate Services:
Log on with local or enterprise administrator permissions to the CA computer and perform the following:
  • Launch the Service Manager for Windows 2008. 
  • In the console tree, click Roles.
  • On the Action menu, click Add Roles.
  • If the Before you Begin wizard appears, click Next.
  • In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.
  • Make sure that Certification Authority is selected, and click Next. (Note: If you are going to use Web Enrollment make sure to check this box.  You can always add it later but Why not add it now?  All the required roles will also be installed when you check this box since you will get a list of Add role service required)
  • Select Enterprise and click Next.  (We are doing this because this is an Enterprise Root CA that will integrate with Active Directory.  Just like the one I decommissioned.  Best practice is to have a Standalone Root CA but given the size of this organization they are not too concerned with having a Standalone Root CA.)
  • Specify Root  and click Next.  (If the CA you’re moving from was a Subordinate CA then we would want to tick the Subordinate CA option.  But since in my example this is a Root CA we are sticking with root.  Keep in main that if you’re coming from a Root CA or a Subordinate CA this option must match with what you’re coming from.)
  • At this stage, you have a choice between creating a new private key or using an existing private key.  For a migration, on the Set Up Private Key page, select Use existing private key and choose Select a certificate and use its associated private key.
We should have something that looks like this:


Click Next and continue the steps below:
  • If the CA certificate we backed up above has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
  • Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.
  • Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK.  Select the Certificate that was just imported and click Next
  • When choosing your path you can either use defaults or browse to new ones.  Once done click Next
  • Complete the installation of the AD CS
  • Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)
We have deployed Active Directory Certificate Services on Windows 2008.  There are still two more steps that must be completed.  This is the process of restoring the Certificate Authority Database that was backed up in the first section and restoring the registry component. 
To restore the registry simply locate the registry value that was saved above, right click the file and select merge.  This will import the Registry settings to the W2K8 server.  Next we have to restore the database.   We can check to make sure the settings were imported correctly by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and verify your settings are there.  

To restore the database and log files perform the following:
  • Open Server Manager on the Windows 2008 Server.
  • Expand Roles and then Expand Active Directory Certificate Services.
  • Locate the name of the CA you just deployed.
  • Right Click the CA name and select Restore CA…
  • You will get a warning message that the AD CS cannot be running to perform this action.  Simply click Ok to stop AD CS.  AD CS will begin to stop
  • On the Wizard click Next
  • On the Items to Restore screen check the box Certificate database and certificate database log only.  Click Browse to locate the database that was copied over above.  (Note: I need to point out here that you select the folder you backed up to.  i.e. if you backed up the database and logs to C:\Temp\CABackup then this will be the folder you will restore from.  The backup process will create a subdirectory that it will look for during Restore, if you go one folder too deep the restore will fail.)  Once you have located your backup click Next.
  • On the completion screen click Finish and the restore will begin. 
  • Once the restore is complete you will receive a action box that asks if you would like to restart the AD CS.  Simply click Yes.  
And now finally Certificate Service is migrated from Windows 2003 to Windows 2008 R2.


Posted by at

1 comment:

  1. UnknownFebruary 21, 2016 at 11:37 PM

    Very well post. I really found some nice information about the windows 7 migration. Please post more nice information.

    ReplyDelete

Subscribe to: Post Comments (Atom)