Migrating a Server 2003 Root CA

The Root CA is the apex of a CA chain, which makes migrating an Enterprise Root CA or a stand alone root CA a bit of a challenge.

Orin Thomas

April 15, 2015

2 Min Read
Migrating a Server 2003 Root CA

The Root CA is the apex of a CA chain, which makes migrating an Enterprise Root CA or a stand alone root CA a bit of a challenge.

Usually when migrating a workload you go from ServerA to ServerB. In an upgrade you change what ServerA is running so that it is a newer version.

With most of the workloads that we’ve talked about in this series, we’ve talked about ServerA to ServerB transitions. This makes sense because you can’t do a direct upgrade from Windows Server 2003 to Windows Server 2012 R2.

In theory you could chain upgrades from Server 2003 to 2008 then on to 2008R2 to 2012 or something similar, but not only is that insanely labor intensive, the vast majority of Windows Server 2003 deployments are x86. Everything including and after Server 2008 R2 is x64. You can’t do an in-place upgrade from x86 to x64, so unless your one of the rare people that deployed Server 2003 in its x64 form, this route isn’t open to you anyway.

The trick with migrating Root CAs is that you generally want to go ServerA to ServerA. If you can’t do that by directly upgrading, what you need to do is back up the workload on one version of the server, build a server that has the same identifying information as the first server, retire the first server, replace it with the second, and then restore the workload from the first.

At a high level this involves:

  • Backing up the CA database and private key on the 2003 Root CA

  • Backing up the CA registry settings on the 2003 Root CA

  • Backing up CAPolicy.inf on the 2003 Root CA

  • Removing the CA role from the 2003 Root CA

  • Removing the 2003 Root CA from the domain (if appropriate)

  • Building a 2012 R2 server that has the same name

  • Joining the new 2012 R2 server to the domain (if appropriate)

  • Adding the CA role to the 2012 R2 server

  • Restoring the CA database and configuration on the 2012 R2 server (including some registry keys if appropriate)

  • Configuring AIA and CDP containers

As I mentioned, this is pretty high level. You can get a better feel for the procedure at the following web page https://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspx

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like