Our current CA environment consists of a Windows 2003 Enterprise root CA (non DC), and a Windows 2003 Enterprise subordinate CA (DC). Our domain migration to 2008R2 is nearly complete, but I need to migrate the CA's to 2008. The root CA will remain, but I intend to 'upgrade' this in place to Windows 2008 (not R2) as the current install is 32-bit. The subordinate CA role on the DC will be migrated to a new Windows 2008 R2 DC that will take over the same hostname/IP as the one it's replacing. So my current thinking is; 1. First, upgrade the root CA from 2003 to 2008. This should, at the same time, upgrade the CA installation, and once complete, continue to work as normal. 2. Next, backup the CA role settings using documented methods on the current subordinate CA, bring the new 2008R2 DC online (with same hostname/IP as old one), then restore the CA environment. My investigation shows that as long as the hostnames are the same, the restore should work ok. I'm really looking for someone to sanity check this proposal and tell me if it should work ok. Is there anything I need to be careful of, or any other issues that could arise from this plan?

This should work, but putting the DC and the CA on the same box is a really poor design. If you have archived encryption certs, then you should proceed(lesser of two evils). If you do not have archived encryption certs, I would consider setting up a new R2 CA. Brian

have you read the CA migration guide? http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx

This should work, but putting the DC and the CA on the same box is a really poor design. If you have archived encryption certs, then you should proceed(lesser of two evils). If you do not have archived encryption certs, I would consider setting up a new R2 CA. Brian Interesting you say having a CA on the same box as a DC is poor design. We've always run with this, and it's been fine. We have a seperate forest root from our primary child domains (that users log into to), and the subordinate CA resides on a root DC. It's secure and locked down, and allows us to request certs from any of the child domains. Keeping the root CA on a non-DC was a design decision, and this CA is a member of the forest root domain. Thanks for checking my sanity anyway. I'm going to proceed with the root CA upgrade in the next day or so, then do the sub-CA migration after that.

have you read the CA migration guide? http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx Yes. When I said I was doing the migration using 'documented methods', this was pretty much what I was referring to. Lots of info in that document, but not all is relevant, so you just have to pick the parts that are.

I've just been reading this document, which implies the following for moving a CA from 2003 to 2008. Either; 1. Upgrade the 2003 server to 2008, then perform the CA backup and restore to the new 2008 server (with the same name) or 2. Perform a CA backup of the 2003 server, restore this to the new 2003 server, then upgrade this to 2008. None of these imply you can perform a CA backup of a 2003 server and restore this directly to a 2008 server, I have to either upgrade the source server beforehand or the destination server afterwards. Can you confirm this?

Hi, We can backup CA on a Windows Server 2003 computer and restore it directly on a Windows Server 2008 computer. http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How are you? Just want to confirm if you need further information.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.