StGeorgeMemberJun 22, 2011 at 3:32 am #155177
I have moved into a job where there are a number of old 2003 servers running as DCs. These need to be decommissioned.
I have some new 2008 servers that have been promoted to DC and have moved across the FSMO roles. I managed to demote a few servers but there are 3 which have certificate services installed. 2 of them are enterprise root CAs (on the same domain) and the other is an Enterprise Subordinate CA (on a child domain).
The 2 Enterprise root CA are still issuing certificate but 1 of them appear to have only issued 3 in the last 6 months. 2 to itself (domain controller cert template) and 1 to a user (Basic EFS).
The other enterprise root CA is still issuing certificate too, they are mostly computer certificates, 1 or 2 user ones and a number to itself as a domain controller.
The subordinate CA while it has Certificate services installed, it is not running as it would appear the CA certificate has expired and the service for CA will not start untill new CA certificate is renewed. I don’t know how long it has not been running for or what certificates are issued.
Now I have been looking at the migration guides for certificate authorities from 2003 to 2008 on the microsoft site but they talk about changing the server names on the destination server to match the old one however I don’t want to do this as the new servers are DCs already and I don’t want to change their names.
Few questions regarding the existing servers, is it possible to have 2 enterprise root CAs on 1 domain? Why is one of them issuing only 3 certificates? Why do all the computers go to the other enterprise root CA?
Would I be best decommissioning the existing 2003 servers and CAs and then installing new ones on the 2008 DCs and starting fresh?
Thanks in advance.
You must be logged in to reply to this topic.