Discussion:
Move the CA to a server with the same name or different name?
(too old to reply)
jprstokato
2009-06-04 01:55:01 UTC
Permalink
In Technet article http://technet.microsoft.com/en-us/library/cc742388.aspx
on performing a CA migration, in the section ‘Option A: Migrate the CA to a
New Host’, the article states that “the computer name of the target computer
can differ from the computer name of the source computer, but the CA name
must stay the same.”

In KB 298138 http://support.microsoft.com/default.aspx/kb/298138 on the same
subject of moving a certification authority to another server, it states “The
new server must have the same computer name as the old server”

Both articles are describing the same process. Only difference is that the
Technet article applies to both Windows Server 2008 (and 2003) Domain
controllers, and the KB applies to any Windows Server 2000 /2003.

I’m performing Option B: ‘Keep the CA on the Original Host and Move the
Domain Controller’ of the technet article, and using Option A as part of a
rollback plan, if Option B fails to restore the CA to the same server.

Can you tell me if I should therefore can follow the Technet article, and
restore the CA to a another 32 bit Windows 2003 server in our domain (i.e.
with a different name).

Many thanks, JPSR.
Paul Bergson [MVP-DS]
2009-06-04 12:25:26 UTC
Permalink
Post by jprstokato
In Technet article
http://technet.microsoft.com/en-us/library/cc742388.aspx
on performing a CA migration, in the section 'Option A: Migrate the CA to
a
New Host', the article states that "the computer name of the target
computer
can differ from the computer name of the source computer, but the CA name
must stay the same."
In KB 298138 http://support.microsoft.com/default.aspx/kb/298138 on the same
subject of moving a certification authority to another server, it states
"The
new server must have the same computer name as the old server"
Both articles are describing the same process. Only difference is that the
Technet article applies to both Windows Server 2008 (and 2003) Domain
controllers, and the KB applies to any Windows Server 2000 /2003.
I'm performing Option B: 'Keep the CA on the Original Host and Move the
Domain Controller' of the technet article, and using Option A as part of a
rollback plan, if Option B fails to restore the CA to the same server.
Can you tell me if I should therefore can follow the Technet article, and
restore the CA to a another 32 bit Windows 2003 server in our domain (i.e.
with a different name).
Many thanks, JPSR.
If you change the name of your CA you break the trust and therefore you
break your CA. You HAVE to keep the CA the same name forever.

This NewsGroup is related to Active Directory, for future questions I would
suggest you post them in the server.security NewsGroup. I have included
them in on this response.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
jprstokato
2009-06-08 01:10:01 UTC
Permalink
Many thanks for your reply, and points noted..
(Understood that the The CA name must be the same)
I still need to know whether the name of the 'server' that the CA is moved
to can / should be changed..
Regards, JPSR.
Post by Paul Bergson [MVP-DS]
Post by jprstokato
In Technet article
http://technet.microsoft.com/en-us/library/cc742388.aspx
on performing a CA migration, in the section 'Option A: Migrate the CA to
a
New Host', the article states that "the computer name of the target
computer
can differ from the computer name of the source computer, but the CA name
must stay the same."
In KB 298138 http://support.microsoft.com/default.aspx/kb/298138 on the same
subject of moving a certification authority to another server, it states
"The
new server must have the same computer name as the old server"
Both articles are describing the same process. Only difference is that the
Technet article applies to both Windows Server 2008 (and 2003) Domain
controllers, and the KB applies to any Windows Server 2000 /2003.
I'm performing Option B: 'Keep the CA on the Original Host and Move the
Domain Controller' of the technet article, and using Option A as part of a
rollback plan, if Option B fails to restore the CA to the same server.
Can you tell me if I should therefore can follow the Technet article, and
restore the CA to a another 32 bit Windows 2003 server in our domain (i.e.
with a different name).
Many thanks, JPSR.
If you change the name of your CA you break the trust and therefore you
break your CA. You HAVE to keep the CA the same name forever.
This NewsGroup is related to Active Directory, for future questions I would
suggest you post them in the server.security NewsGroup. I have included
them in on this response.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Paul Bergson [MVP-DS]
2009-06-08 12:10:46 UTC
Permalink
Already answered. When I speak of name I'm not talking about the dns name,
I'm talking about your machine name.

"If you change the name of your CA you break the trust and therefore you
break your CA. You HAVE to keep the CA the same name forever."
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by jprstokato
Many thanks for your reply, and points noted..
(Understood that the The CA name must be the same)
I still need to know whether the name of the 'server' that the CA is moved
to can / should be changed..
Regards, JPSR.
Post by Paul Bergson [MVP-DS]
Post by jprstokato
In Technet article
http://technet.microsoft.com/en-us/library/cc742388.aspx
on performing a CA migration, in the section 'Option A: Migrate the CA to
a
New Host', the article states that "the computer name of the target
computer
can differ from the computer name of the source computer, but the CA name
must stay the same."
In KB 298138 http://support.microsoft.com/default.aspx/kb/298138 on the same
subject of moving a certification authority to another server, it states
"The
new server must have the same computer name as the old server"
Both articles are describing the same process. Only difference is that the
Technet article applies to both Windows Server 2008 (and 2003) Domain
controllers, and the KB applies to any Windows Server 2000 /2003.
I'm performing Option B: 'Keep the CA on the Original Host and Move the
Domain Controller' of the technet article, and using Option A as part of a
rollback plan, if Option B fails to restore the CA to the same server.
Can you tell me if I should therefore can follow the Technet article, and
restore the CA to a another 32 bit Windows 2003 server in our domain (i.e.
with a different name).
Many thanks, JPSR.
If you change the name of your CA you break the trust and therefore you
break your CA. You HAVE to keep the CA the same name forever.
This NewsGroup is related to Active Directory, for future questions I would
suggest you post them in the server.security NewsGroup. I have included
them in on this response.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Jorge Silva
2009-06-08 10:20:21 UTC
Permalink
Hi
The suggestion is... Test it first in a lab scenario. New servers with
different name for this role are not supported (confirm it at MS or MS
security newsgroups).
If possible create a new and clean CA in the new server, stop issuing Certs
from the old until the expire.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
Post by jprstokato
In Technet article
http://technet.microsoft.com/en-us/library/cc742388.aspx
on performing a CA migration, in the section ‘Option A: Migrate the CA to a
New Host’, the article states that “the computer name of the target computer
can differ from the computer name of the source computer, but the CA name
must stay the same.”
In KB 298138 http://support.microsoft.com/default.aspx/kb/298138 on the same
subject of moving a certification authority to another server, it states “The
new server must have the same computer name as the old server”
Both articles are describing the same process. Only difference is that the
Technet article applies to both Windows Server 2008 (and 2003) Domain
controllers, and the KB applies to any Windows Server 2000 /2003.
I’m performing Option B: ‘Keep the CA on the Original Host and Move the
Domain Controller’ of the technet article, and using Option A as part of a
rollback plan, if Option B fails to restore the CA to the same server.
Can you tell me if I should therefore can follow the Technet article, and
restore the CA to a another 32 bit Windows 2003 server in our domain (i.e.
with a different name).
Many thanks, JPSR.
Paul Bergson [MVP-DS]
2009-06-04 12:25:26 UTC
Permalink
Post by jprstokato
In Technet article
http://technet.microsoft.com/en-us/library/cc742388.aspx
on performing a CA migration, in the section 'Option A: Migrate the CA to
a
New Host', the article states that "the computer name of the target
computer
can differ from the computer name of the source computer, but the CA name
must stay the same."
In KB 298138 http://support.microsoft.com/default.aspx/kb/298138 on the same
subject of moving a certification authority to another server, it states
"The
new server must have the same computer name as the old server"
Both articles are describing the same process. Only difference is that the
Technet article applies to both Windows Server 2008 (and 2003) Domain
controllers, and the KB applies to any Windows Server 2000 /2003.
I'm performing Option B: 'Keep the CA on the Original Host and Move the
Domain Controller' of the technet article, and using Option A as part of a
rollback plan, if Option B fails to restore the CA to the same server.
Can you tell me if I should therefore can follow the Technet article, and
restore the CA to a another 32 bit Windows 2003 server in our domain (i.e.
with a different name).
Many thanks, JPSR.
If you change the name of your CA you break the trust and therefore you
break your CA. You HAVE to keep the CA the same name forever.

This NewsGroup is related to Active Directory, for future questions I would
suggest you post them in the server.security NewsGroup. I have included
them in on this response.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Continue reading on narkive:
Loading...