Move CA from Windows 2000 to Windows 2003

G

Guest

Need some direction on the best practice to follow for moving Enterprise Root
CA services from windows server 2000 to new hardware using windows server
2003.
All of the posts I have seen recommend upgrading the current windows 2000 CA
to Windows 2003 and then moving the database to the new 2003 server. However,
we do not have to take this approach if there are other options........Also,
a possible "gotcha" for us using this approach, is that the hardware
currently running Windows 2000 CA services may not be 2003-compatible.....
What steps are required to build the new 2003 server, install CA services,
and then issue new certificate requests/certificates for the applications
that require it? Basically this would be a brand new CA......
Using this approach, is it possible for two root CAs to co-exist? Would the
existing 2000 CA have to be decommissioned first?
Just looking for best practice and the easiest road to getting the CA
services up and running on the new 2003 hardware, in case the existing
hardware cannot be upgraded to 2003.
Thanks for any assistance!
 
G

Guest

There are some issues need to know when using CA.

1. When you install enterprise root CA, the machine and domain can not be
change because these infor are bind to the AD. So there is no way for you to
move the database to another computer with dfferent name.

2. Windows 2000 and 2003 CAs have differences - database and registeries.
Therefore you can not just move the database from 2000 to 2003.

3. You can have multiple root CA within an organization. But usually is not
required unless its is MNC or in training environment. If not properly
managed, there will be quite confusing as to the clients got their cert from
which CA.

There is an article, which you might have already seen, Q298138 mentioned
about hot to move the db to another server. But it is first upgrade 2000 to
2003 before moving, rather than just move directly to 2003.

HTH.
 
G

Guest

Thank you for your response.
The hardware being used as the current CA may not be Windows
2003-compatible....For sake of the discussion, let's assume it is not.
How would I go about setting up a brand new CA? Is there an uninstall or
some other process to remove the current CA in an environment, before
installing a new CA?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cannot Ping the Selected CA. Please make sure the CA is running. Access is denied. 0
Enterprise Root CA with 2000 & 2003 1
Server Decommision 10
2003 CA in 2000 Domain 10
How do you issue a new Root CA Certificate EXPIRATION? 0
Replacing A Root Enterprise CA 1
Offline Root CA Maintainance Best Practice Query. 3
Certification Authority 1

Top