Migration of Certificate Authority from Windows 2000 Server to Windows 2003 Server

R

Reinhard Schürer

Hello

When trying to migrate the Microsoft Certificate Services running on
Windows 2000 Server to a new Windows 2003 Server (with the same name)
we have problems to restore the database under Windows 2003 Server.

Restoring the private key was no problem but when we try to restore
from a backup (which was done under Windows 2000 with
certutil -backup c:\certbak) with the following command:
certutil -restoreDB c:\certbak we entercounter the following error:

Restoring database for certsrv.certtest.int\CertTest.
Not a valid backup directory: c:\certbak.
CertUtil: -restoreDB command FAILED: 0x8007010b (WIN32/HTTP: 267)
CertUtil: The directory name is invalid.

Using the restore function of the Certificate Authority MMC doesn't
work either with the same error code.

Any ideas how to transfer the Certificate Autority database form
Windows 2000 to Windows 2003 ?

Regards,
Reinhard Schuerer
nascom GmbH
 
D

David Cross [MS]

you should really upgrade the windows 2000 CA to windows server 2003 first,
then move the CA to a new machine. there are DB and registry differences
between the new versions which is likely the issue you are encountering.
 
D

David Cohen

I've got a few questions that weren't answered in your post and I
couldn't find on technet or in the KB.

Q298138 deals with migrating CA's from Windows 2000 to Windows 2000
and you mentioned that there were several registry differences, is it
possible to overcome these?

We currently have one Windows 2000 DC that is the Enterprise Root CA.
I have installed an additional Windows 2003 Server with a different
name and made it a DC. I want to transfer the Enterprise Root CA to
the new 2003 server, remove the CA from the Windows 2000 DC, demote
and the remove it.

What's the correct procedure for doing this?

Are Microsoft in the process of creating a new Q article describing
the procedure?

David Cross said:
you should really upgrade the windows 2000 CA to windows server 2003 first,
then move the CA to a new machine. there are DB and registry differences
between the new versions which is likely the issue you are encountering.

--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Reinhard Schürer said:
Hello

When trying to migrate the Microsoft Certificate Services running on
Windows 2000 Server to a new Windows 2003 Server (with the same name)
we have problems to restore the database under Windows 2003 Server.

Restoring the private key was no problem but when we try to restore
from a backup (which was done under Windows 2000 with
certutil -backup c:\certbak) with the following command:
certutil -restoreDB c:\certbak we entercounter the following error:

Restoring database for certsrv.certtest.int\CertTest.
Not a valid backup directory: c:\certbak.
CertUtil: -restoreDB command FAILED: 0x8007010b (WIN32/HTTP: 267)
CertUtil: The directory name is invalid.

Using the restore function of the Certificate Authority MMC doesn't
work either with the same error code.

Any ideas how to transfer the Certificate Autority database form
Windows 2000 to Windows 2003 ?

Regards,
Reinhard Schuerer
nascom GmbH
Click to expand...
Click to expand...
 
D

David Cross [MS]

No, you cannot just migrate the DB from windows 2000 to windows server 2003
machine, the DB schema is different and must be migrated through an upgrade.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

David Cohen said:
I've got a few questions that weren't answered in your post and I
couldn't find on technet or in the KB.

Q298138 deals with migrating CA's from Windows 2000 to Windows 2000
and you mentioned that there were several registry differences, is it
possible to overcome these?

We currently have one Windows 2000 DC that is the Enterprise Root CA.
I have installed an additional Windows 2003 Server with a different
name and made it a DC. I want to transfer the Enterprise Root CA to
the new 2003 server, remove the CA from the Windows 2000 DC, demote
and the remove it.

What's the correct procedure for doing this?

Are Microsoft in the process of creating a new Q article describing
the procedure?

"David Cross [MS]" <[email protected]> wrote in message
you should really upgrade the windows 2000 CA to windows server 2003 first,
then move the CA to a new machine. there are DB and registry differences
between the new versions which is likely the issue you are encountering.

--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Reinhard Schürer said:
Hello

When trying to migrate the Microsoft Certificate Services running on
Windows 2000 Server to a new Windows 2003 Server (with the same name)
we have problems to restore the database under Windows 2003 Server.

Restoring the private key was no problem but when we try to restore
from a backup (which was done under Windows 2000 with
certutil -backup c:\certbak) with the following command:
certutil -restoreDB c:\certbak we entercounter the following error:

Restoring database for certsrv.certtest.int\CertTest.
Not a valid backup directory: c:\certbak.
CertUtil: -restoreDB command FAILED: 0x8007010b (WIN32/HTTP: 267)
CertUtil: The directory name is invalid.

Using the restore function of the Certificate Authority MMC doesn't
work either with the same error code.

Any ideas how to transfer the Certificate Autority database form
Windows 2000 to Windows 2003 ?

Regards,
Reinhard Schuerer
nascom GmbH
Click to expand...
Click to expand...
Click to expand...
 
D

David Cohen

David, thanks for your reply. I just want to make sure I've got the
procuedure correct:

I would need to upgrade the Windows 2000 DC to 2003. Then I would
have to perform the steps in Q298138 to transfer the database to the
other 2003 DC.

Does it matter that the second DC has a different name?

Once I've transfered the CA, I can uninstall it from the upgraded
(original) server. Then demote it, and remove it from the domain.

Is that the correct way?

Thanks again,

David.

David Cross said:
No, you cannot just migrate the DB from windows 2000 to windows server 2003
machine, the DB schema is different and must be migrated through an upgrade.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

David Cohen said:
I've got a few questions that weren't answered in your post and I
couldn't find on technet or in the KB.

Q298138 deals with migrating CA's from Windows 2000 to Windows 2000
and you mentioned that there were several registry differences, is it
possible to overcome these?

We currently have one Windows 2000 DC that is the Enterprise Root CA.
I have installed an additional Windows 2003 Server with a different
name and made it a DC. I want to transfer the Enterprise Root CA to
the new 2003 server, remove the CA from the Windows 2000 DC, demote
and the remove it.

What's the correct procedure for doing this?

Are Microsoft in the process of creating a new Q article describing
the procedure?

"David Cross [MS]" <[email protected]> wrote in message
you should really upgrade the windows 2000 CA to windows server 2003 first,
then move the CA to a new machine. there are DB and registry differences
between the new versions which is likely the issue you are encountering.

--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hello

When trying to migrate the Microsoft Certificate Services running on
Windows 2000 Server to a new Windows 2003 Server (with the same name)
we have problems to restore the database under Windows 2003 Server.

Restoring the private key was no problem but when we try to restore
from a backup (which was done under Windows 2000 with
certutil -backup c:\certbak) with the following command:
certutil -restoreDB c:\certbak we entercounter the following error:

Restoring database for certsrv.certtest.int\CertTest.
Not a valid backup directory: c:\certbak.
CertUtil: -restoreDB command FAILED: 0x8007010b (WIN32/HTTP: 267)
CertUtil: The directory name is invalid.

Using the restore function of the Certificate Authority MMC doesn't
work either with the same error code.

Any ideas how to transfer the Certificate Autority database form
Windows 2000 to Windows 2003 ?

Regards,
Reinhard Schuerer
nascom GmbH
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

CertSvc does not start : missing file 1
Certificate Authority backup failed. 0
Move 2000 Certificate server to 2003 on new hardware 3
Certificate Authority Domain upgrade 2
Certificate Authority Problem 3
Smart Card Logon Failure with Windows 2003 Server (works with Windows 2000 server) 9
Requesting Certificate from Subordinate CA 1
Windows server ca : certificate renewal 3

Top