We're looking at migrating our 2003 x86 CA to 2008 x64. I've seen the guide and the process looks fairly straight forward. I had a few questions regarding the process. The guide only seems to mention migrating to a server with the same name. What steps need to be performed when migrating to a different server name? Do I need to perform this migration during the off hours? Any outages caused by this? The only thing I forsee is logon problems with clients trying to download the CRL. From my understanding the clients will only request a new cert if they do not have it already, or it expires, thus communication to the CA from clients / servers is minimal.

Changing the server name is not recommended although it is supported, this is mainly because you need to change a number of configuration parameters to include the old name to keep the old certificates valid. You need basically to hard code the old server name in the CDP and AIA URLs instead of the dynamic variables ServerShortName and ServerDNSName If certificate issuance is critical then the answer is: yes, otherwise no! To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration by extending the validity period of the Base CRL and the Delta CRL. /Hasain

Hi, I suppose you have found the fallowing guide: Active Directory Certificate Services Migration Guide http://technet.microsoft.com/en-us/library/ee126170%28WS.10%29.aspx Also keep an eye on the post-tasks: AD CS Migration: Post-Migration Tasks http://technet.microsoft.com/en-us/library/ff519213%28WS.10%29.aspx The guides explain very well the risks and possible solutions to the migration with different target and source CA names. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

What do you mean by hard code the "old" server name? Shouldn't I be hard coding the new server name after the migration? What's the difference between ServerShortName and ServerDNSName? I'm assuming ShortName=ServerName and DNSName=ServerName.domain.com.

These are internal variables the certificate services is using to construct the file name and the URL of a published CRL. ServerShortName is the hostname and ServerDNSName is the fully qualified DNS name. the problem is that the old server name is already part of CRL URLs in all issued certificates (if you look at any issued certificate and got to the CRL Distribution Point) and you need to keep the "old" CRL published and valid until all old certificates expired of been replaced by new ones. /Hasain

Can I modify these paths in the registry? I only see add/remove in the CA MMC.

Yes, you can change the registry keys directly or remove and re-add the URLs with adjusted values using the MMC or certutil. The values of CACertPublicationURLs and CRLPublicationURLs are located under the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\CA_NAME] /Hasain

Yes, you can change the registry keys directly or remove and re-add the URLs with adjusted values using the MMC or certutil. The values of CACertPublicationURLs and CRLPublicationURLs are located under the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\CA_NAME] /Hasain