<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">
blog_listing_hero_img.jpg

Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2- Part 3: The Back-Out Procedure

Welcome to the final installment of this three part series of articles dedicated to instructing Exchange and Messaging Admins the correct steps needed to take in order to perform a subordinate Certificate Authority migration from Windows Server 2003 to Windows Server 2008 R2. In Part 1 we prepared the source and destination server for the migration. Part 2 explained how to restore the source CA from backups on the new Windows Server 2008 R2. Now we look to the final part of the process-making sure you are covered if "technical difficulties" pop up. 

Backup-out Procedure

In case of a migration failure i.e. if the Certificate Authority service fails to stop, auto enrollment failure, or any other error/issue in any of the verifying migration steps, then the back-out procedure has to be executed to restore the CA service on the source server. Back-out planning is necessary for any activity and therefore we need have in place the backup-out or rollback action plan for CA Migration in case any failure or disaster situation. Please follow the process in order to bring back the source server as CA Server.


Step 1-Removin

g CA Role from Destination server

  • Log on to the destination server, and start Server Manager.

  • In the console tree, click Roles.

  • On the Roles pane click, Remove Roles

  • If the Before you begin page appears click Next

  • On the Remove Server Roles, Uncheck ACTIVE Directory Certificate Services and click Next

  • Click Remove on the Confirm Removal Selection and restart the server once completes

  • Remove Destination server from domain

  • Rename the Destination server

Step 2- Adding CA Role on Source Server

Rename the source server to the initial name

  • Add the source server to domain

  • Launch Add or Remove programs and select add/remove windows components and select Certificate Service and click, Next

  • Select Enterprise Subordinate CA as CA Type and select “Use custom settings to generate the key pair and CA Certificate”

  • On the Public and Private Key Pair click Import and select the backed up file .p12 and enter the password and click next

  • Click Next to proceed with the CA configuration and close

Step 3- Restoring CA DB on Source Server

  • Launch Certificate Authority snap-in

  • Select CA node and click on Actions, All Task and Restore CA

  • On the Items to Restore select Private key and CA Certificate and Certificate Database and Certificate Database Log

  • Browse the CA DB Location and Click Next

  • Enter the password set while backing up the CA

Step 4- Restore Certificate Template List

  • Open a command prompt window.

  • Type certutil -setcatemplates +<templatelist1>,<templatelist2>..  and press ENTER.

This completes our three part series of articles dedicated to showing the proper procedures one must take for subordinate CA migration from windows server 2003 to windows server 2008 R2. As we have seen CA migration is a complex activity. We all need to make sure that the right steps are followed in order as defined in the article series. Make sure that verification is performed on every step. If any steps are skipped a rollback or back-out is possible, if not likely.

Another best practice- I highly recommend thoroughly testing these steps in a lab by simulating your environment prior to performing this activity in a production environment.