<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">
blog_listing_hero_img.jpg

Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2- Part 2: Restoring the Source CA from Backups

Welcome to Part 2 of this three part series of articles designed to inform administrators how to properly migrate from Windows Server 2003 to Windows Server 2008 R2, specifically highlighting the steps needed to take for subordinate CA migration from Windows Server 2003 to Windows Server 2008 R2.

In part 1we discussed in steps needed to take to prepare the source and destination servers for the migration. Now we shift our attention to the next step which is restoring the source CA from backups on the new Windows Server 2008 R2 and verifying the migration.

Step 1- Restore the Source CA Server from Backup:

a. Restore CA DB

Log on to the destination server by using an account that is a CA administrator.

Start the Certification Authority snap-in.

Right-click the node with the CA name, point to All Tasks, and then click Restore CA.

On the Welcome page, click Next.

On the Items to Restore page, select Certificate database and certificate database log.

Click Browse. Navigate to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).

Click Next and then click Finish.

b. Restore CA Registry

Create a backup of the current Registry setting

Open the exported registry file from source servers in notepad and verify the registry values

Open a Command Prompt window.

Type reg import <Registry Settings Backup.reg> and press ENTER.

Type net start certsvc and press ENTER.

c. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

 

2. Verifying Migration

a. Verify ACL’s on the AIA and CDP Containers

Log in to DC and open Active Directory Sites in Services

On the Console click on Top Node

Click View and Show Services node. You will find Services folder on the left and expand to reach Public Key Services.

Expand Public Key Services

Click AIA folder and in the details pane, select the name of the source CA.

On the Action menu, click Properties.

Click the Security tab, and then click Add.

Click Object Types, click Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and click OK.

If Account unknown with security identifier exist then select it and remove the object.

In the left pane, select CDP and the host name of the source CA.

In the details pane, select the first CRL object.

On the Action menu, click Properties, and then click the Security tab.

In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

Click Object Types, select Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and then click OK.

If Account unknown with security identifier exist then select it and remove the object.

 

b. Verify Registry

Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName.

 

c. Verify Auto Enrollment

Log on to a domain member computer by using an account that has Autoenroll, Enroll, and Read permissions for the certificate templates that are assigned to the destination CA.

Click Start, and then click Run.

Type certmgr.msc, and then click OK to open the Certificates snap-in.

In the console tree, right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

On the Before You Begin page, click Next.

On the Request Certificates page, a list of one or more certificate templates should be displayed. Select the check box next to each certificate template that you want to request, and then click Enroll.

Click Finish to complete the enrollment process.

In the console tree, double-click Personal, and then click Certificates to display a list of installed user certificates and to verify that the certificate that you requested is displayed.

This completes Part 2. In the final installment of this three part series we'll complete the backup process. You'll need to have a firm grasp on the steps taken in part 3 in case you ever need to revert back.