Migrating the Exchange KMS Database

Microsoft Exchange Server 2003 doesn't come with a Key Management Service (KMS), so if you have an operational KMS in an Exchange 2000 Server environment and plan to migrate to Exchange 2003, you must migrate the KMS key archival database to the Windows Server 2003 Certification Authority (CA) key archival database. If you're running an Exchange Server 5.5 KMS, upgrade to Exchange 2000. The KMS-to­Windows 2003 CA migration process can deal only with an Exchange 2000 KMS database.

Next, configure the Windows 2003 CA for key archival, as the main article "Windows Server 2003 PKI Key Archival and Recovery" explains. Then, ensure that an Export Signing certificate is available for KMS database migration. An Export Signing certificate, which is a copy of the CA server's Machine Authentication certificate, and its associated private key are necessary to secure the KMS data during export from the KMS database and transport to the Windows 2003 CA. The certificate must be available on the KMS machine from which you want to migrate data. If the CA server doesn't have a Machine Authentication certificate, get one before you start the KMS migration. The Machine Authentication certificate resides in the CA server's local machine certificate store. To copy the certificate to the KMS machine, export it in Public-Key Cryptography Standards (PKCS) #12 format from the CA server (the main article explains this process), then store it in a file system folder on the KMS machine.

Enable foreign certificate import on the Windows 2003 CA if necessary. Importing certificates and keys that another CA issued into a Windows 2003 CA's database is possible only if you've enabled the Windows 2003 CA to accept foreign certificates and private keys. To do so, open a command line on the CA server and type

certutil ­setreg caKRAFlags +KRAF_ENABLEFOREIGN

Export the Exchange KMS database's content. To do so, you must use the Exchange KMS Key Export Wizard, which is available from the Microsoft Management Console (MMC) Exchange System Manager (ESM) snap-in in Exchange 2000. To start the wizard, open the ESM console, open the Key Manager object's Properties dialog box, and select All Tasks, Export Users. The wizard prompts you for the CA's Export Signing certificate and asks you which Exchange 2000 administrative group's user keys you want to export. The wizard saves the export file in the %systemdrive%program filesexchsrvrkmsdata directory by default. Locate the export file and copy it to the CA server.

To import the exported KMS archival data into the central CA archival database, use the following command:

certutil -f -importKMS 

This command can handle files that are formatted in the Exchange KMS export format as well as .pfx and .epf files. The latter two formats are used to manually archive certificate and private key data. (For more information about the manual archival process, see the sidebar "Manual Key Archival and Recovery," page 8.) You must use the -f switch with this command if the CA didn't issue the certificate that you're injecting into the database; this situation is typically the case when you're migrating a KMS key archival database.