Server Decommision

Z

Zachary

We currently have a Win2k server that we are looking to decommission so we
can install it with windows 2008. This 2k server is a domain controller
with no FSMO roles on it but CA is still running on the server. We
currently have a 2008 server that is acting as our primary DC. Two
questions:



First, how can I check whether or not the CA is still being used? I have
inherited this setup from a previous IT Group so I am unsure of what
practices have been in place before I was here.



Second, if I am unsure or if the services are still needed, can I move the
CA to the 2008 server?



I have reviewed these links already and none seem to directly apply to my
situation since the scenario is 2000 and 2003



http://support.microsoft.com/default.aspx?scid=kb;en-us;298138

http://support.microsoft.com/default.aspx?scid=kb;en-us;555012

http://support.microsoft.com/kb/889250



Any insight would be greatly appreciated.
 
G

Greg Russell

We currently have a Win2k server that we are looking to decommission
so we can install it with windows 2008. ... I have inherited this setup
from a previous IT Group so I am unsure of what practices have been
in place before I was here.

If the previous IT group failed to keep an administrative journal/log of the
machine and its roles in the enterprise, then you should make a complete
backup, wipe the disk and start with a fresh install of the new OS.

Oh, and be sure to keep a current journal of everything you do on the new
OS, and the reasons for it.
 
Z

Zachary

First off, that doesn't answer either of my two questions and as far as good
IT practice goes that suggestion is dangerous. Anything goes wrong during
the wipe/reload process I would be SOL. Our eventual goal is to make this
server a member server running a newer operating system. Does anyone else
have any ideas?
 
J

John John - MVP

See in-line:
We currently have a Win2k server that we are looking to decommission so we
can install it with windows 2008. This 2k server is a domain controller
with no FSMO roles on it but CA is still running on the server. We
currently have a 2008 server that is acting as our primary DC. Two
questions:



First, how can I check whether or not the CA is still being used? I have
inherited this setup from a previous IT Group so I am unsure of what
practices have been in place before I was here.

I don't know for sure but unless you properly removed the existing CA
and created a new one on the new Server 2008 I would think that the CA
on the Server 2000 would still be used. You could simply disable the
Certificate Service for an extended period and see what happens, if
things go wonky you can just re-enable the Certificate service. These
might be helpful:

http://support.microsoft.com/kb/889250
How to decommission a Windows enterprise certification authority and how
to remove all related objects from Windows Server 2003 and from Windows
Server 2000

http://support.microsoft.com/kb/231881
HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
Windows 2000

http://articles.techrepublic.com.com/5100-10878_11-6067066.html?tag=sc
Move Certificate Authority to another Windows 2000 Server

http://www.microsoft.com/windows/windows2000/en/advanced/sag_CSprocsBackup.htm
Back up a certification authority
Second, if I am unsure or if the services are still needed, can I move the
CA to the 2008 server?

I don't think so, all of the Microsoft information that I have seen
always says that you must first upgrade Server 2000 to 2003 and then in
turn upgrade Server 2003 to 2008, there seems to be no direct path to
move the CA directly from Server 2000 to Server 2008. You may find
useful information here:
http://technet.microsoft.com/en-us/library/cc742466(WS.10).aspx

You might have better help with this if you ask the folks on one of the
Server groups, maybe here:
news://msnews.microsoft.com/microsoft.public.windows.server.general

John
 
M

Meinolf Weber [MVP-DS]

Hello Zachary,

I will crospost this to:
microsoft.public.windows.server.security

That's the better place for your question. Also think about using the Technet
Forum:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
We currently have a Win2k server that we are looking to decommission
so we can install it with windows 2008. This 2k server is a domain
controller with no FSMO roles on it but CA is still running on the
server. We currently have a 2008 server that is acting as our primary
DC. Two questions:

First, how can I check whether or not the CA is still being used? I
have inherited this setup from a previous IT Group so I am unsure of
what practices have been in place before I was here.

Second, if I am unsure or if the services are still needed, can I move
the CA to the 2008 server?

I have reviewed these links already and none seem to directly apply to
my situation since the scenario is 2000 and 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;298138

http://support.microsoft.com/default.aspx?scid=kb;en-us;555012

http://support.microsoft.com/kb/889250

Any insight would be greatly appreciated.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Z

Zachary

Thanks for the help on this.

Hello Zachary,

I will crospost this to:
microsoft.public.windows.server.security

That's the better place for your question. Also think about using the
Technet Forum:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Z

Zachary

Thanks for the suggestions. I am hesitant to just disable the services and
wait for something to break. Again I fear that isn't proper IT procedure.
I will try cross posting this question in the group you suggested below.
 
Z

Zachary

Any help on this would be greatly appreciated.

John John - MVP said:
See in-line:


I don't know for sure but unless you properly removed the existing CA and
created a new one on the new Server 2008 I would think that the CA on the
Server 2000 would still be used. You could simply disable the Certificate
Service for an extended period and see what happens, if things go wonky
you can just re-enable the Certificate service. These might be helpful:

http://support.microsoft.com/kb/889250
How to decommission a Windows enterprise certification authority and how
to remove all related objects from Windows Server 2003 and from Windows
Server 2000

http://support.microsoft.com/kb/231881
HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
Windows 2000

http://articles.techrepublic.com.com/5100-10878_11-6067066.html?tag=sc
Move Certificate Authority to another Windows 2000 Server

http://www.microsoft.com/windows/windows2000/en/advanced/sag_CSprocsBackup.htm
Back up a certification authority


I don't think so, all of the Microsoft information that I have seen always
says that you must first upgrade Server 2000 to 2003 and then in turn
upgrade Server 2003 to 2008, there seems to be no direct path to move the
CA directly from Server 2000 to Server 2008. You may find useful
information here:
http://technet.microsoft.com/en-us/library/cc742466(WS.10).aspx

You might have better help with this if you ask the folks on one of the
Server groups, maybe here:
news://msnews.microsoft.com/microsoft.public.windows.server.general

John
 
Z

Zachary

Ok, from what i have found on the web my best route would be to upgrade the
CA to 2003 and backup and restore it to a 2003 server, then perform the
sames steps for 2008. (http://support.microsoft.com/default.aspx/kb/298138,
http://technet.microsoft.com/en-us/library/cc755153(WS.10).aspx)

The only question i have left unanswered is weather or not i can find out
why CA is installed on the server in the first place. Anyone have any
suggestions on how to go about finding out what CA is doing for our network?
 
D

Dusko Savatovic

Hi Zachary,

CA is issuing certificates for whatever purpose you may need:
- Encrypting File System,
- E-Mail, signing, encrypting messages
- SSL (https) for your web server, intranet web server, Outlook Web Access
- We use it for logging onto our wireless network.

You can check which certificates you issued, in the CA console.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top