Migrating a Server 2003 Root CA
The Root CA is the apex of a CA chain, which makes migrating an Enterprise Root CA or a stand alone root CA a bit of a challenge.
April 15, 2015
The Root CA is the apex of a CA chain, which makes migrating an Enterprise Root CA or a stand alone root CA a bit of a challenge.
Usually when migrating a workload you go from ServerA to ServerB. In an upgrade you change what ServerA is running so that it is a newer version.
With most of the workloads that we’ve talked about in this series, we’ve talked about ServerA to ServerB transitions. This makes sense because you can’t do a direct upgrade from Windows Server 2003 to Windows Server 2012 R2.
In theory you could chain upgrades from Server 2003 to 2008 then on to 2008R2 to 2012 or something similar, but not only is that insanely labor intensive, the vast majority of Windows Server 2003 deployments are x86. Everything including and after Server 2008 R2 is x64. You can’t do an in-place upgrade from x86 to x64, so unless your one of the rare people that deployed Server 2003 in its x64 form, this route isn’t open to you anyway.
The trick with migrating Root CAs is that you generally want to go ServerA to ServerA. If you can’t do that by directly upgrading, what you need to do is back up the workload on one version of the server, build a server that has the same identifying information as the first server, retire the first server, replace it with the second, and then restore the workload from the first.
At a high level this involves:
Backing up the CA database and private key on the 2003 Root CA
Backing up the CA registry settings on the 2003 Root CA
Backing up CAPolicy.inf on the 2003 Root CA
Removing the CA role from the 2003 Root CA
Removing the 2003 Root CA from the domain (if appropriate)
Building a 2012 R2 server that has the same name
Joining the new 2012 R2 server to the domain (if appropriate)
Adding the CA role to the 2012 R2 server
Restoring the CA database and configuration on the 2012 R2 server (including some registry keys if appropriate)
Configuring AIA and CDP containers
As I mentioned, this is pretty high level. You can get a better feel for the procedure at the following web page https://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspx
About the Author
You May Also Like