Migrating root CA from 2003 to 2012 R2
Hi all, I have a couple of questions about migrating a root certificate authority from Server 2003 to Server 2012 R2. I've been reading the following link which is pretty comprehensive except for a couple of small things....
technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
1) I would like to use a different server name, which seems fairly straight forward with some changes to the registry on the destination server. I understand though, and can see, that all certificates currently issued by the CA have a CRL Distribution
Point of ldap:// CN=<<name of CA>>,CN=<<name-of-current-server>>,DN=CDP,CN=Public Key.
It's the CN=<<name of current server>> part that bothers me. Will revocation checks still work if the name of the CA server changes - ie. will it still work on account of the <<name of CA>> part remaining the same?
2) I read something about issues going from a 32bit platform to a 64bit platform - is that applicable for in place upgrades only, or something I should be considering during the migration process?
Thanks
Hi,
The computer name, (hostname or NetBIOS name), does not have to match that of the original CA. However, the destination CA name must match that of the source CA. Further, the destination CA name must not be identical to the destination computer name.
Please go through the below article to do CA migration:
Active Directory Certificate Services Migration Guide for Windows Server 2012 R2
http://technet.microsoft.com/en-us/library/dn486797.aspx
Hope this helps.
Regards,
Yan Li
Regards, Yan Li
Similar Messages
-
PKI Migration from 2003 to 2012
Hi,
I need to migrate PKI win 2003 setup to 2012 setup. Currently, I have one Root CA ( w2003) and 2 SubCA (2003) and one Sub CA(2008) and future scenario would be one root (2012) and two Sub CA(2012). PLease let me know how shall we proceed with migration and
key points to look for. I would like to know how to make sure of successful template replication; also how autoenrolled certificates will be migrated. Please suggest.
Also, since there is no enterprise version availabe in 2012, datacentre version will work for me for SUb CA, right ?
ThanksHi
Migrate CA from 2003 to 2012 is almost is the same as to 2012, we can refer the following step by step article first:
How to migrate CA from Server 2003 to Server 2008 R2 – Part III Restore CA on Destination Server
http://blogs.technet.com/b/csstwplatform/archive/2012/04/30/how-to-migrate-ca-from-server-2003-to-server-2008-r2-part-iii-restore-ca-on-destination-server.aspx
More related KB:
AD CS Migration: Preparing to Migrate
http://technet.microsoft.com/en-us/library/ee126102(v=ws.10).aspx
AD CS Migration: Migrating the Certification Authority
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Active Directory Certificate Services Migration Guide
http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Windows Migration from 2003 to 2012
Hi,
When I try to complile my vb6 code, it gives me "ActiveX component cannot create object" in half way of compiling. Advice me to get over the error.Hi,
Did you have any migration issue during migration from 2003 to 2012?
There are several causes, for example
The class isn't registered.
A DLL required by the object can't be used, either because it can't be found, or it was found but was corrupted.
For more detail information, you could refer to this article:
http://msdn.microsoft.com/en-us/library/aa231060(v=vs.60).aspx
Meanwhile, the issue is more related to VB6 code issue, so i suggest that you may ask in vb forums for more support:
https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=vbgeneral
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
when migrate from 2003 to 2012 server all user and ou in activedirectiry go to server 2012 or not
can upgrade from 2003 to 2008 to 2012 or notYes, you can add a 2012 server as a domain controller in your 2003 R2 functional level Active Directory. All AD information will replicate to the 2012 DC.
http://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
. : | : . : | : . tim -
Credentials needed to raise domain and forest level from 2003 to 2012 R2.
I migrated our environment from a single DC server 2003 to a single DC server 2012 R2. I followed the migration process that is documented by Microsoft and others.
However, I forgot to assign my account Enterprise Admin and Schema Admin before raising the domain and forest levels from 2003 to 2012 R2. My account did have domain admin. The GUI interface did not complain when I raised the level of the domain
and then the forest.
So I am thinking everything is OK.
My question is am I going to have problems down the road with the AD environment?
Thanks for any help or opinions.Using snapshot for a domain controller is not recommended, as usn rollback can occur. Allthough in server 2012 using snapshot for dc's has been improved and made 'safer', but I wouldnt use it as a backup solution.
But back to your problem, Beaulieu, is it a single domain/single forest design? And the issue is that you have no membership in schema- and enterprise admins, but you do have an domain admin?
Best Regards,
Jesper Vindum, Denmark
Systems Administrator
Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem. -
DNS EventID 4015 on PDC since Domain Migration from 2003 R2 = 2012
Hi,
following problem here:
2 Domain Controllers with AD Integrated DNS Zone, migrated from 2003 R2 to 2012. One Single Root Forest.
The Primary Domain Controller shows every 2, 3 or 4 hours the DNS EventID 4015. No further error is available: (which is may emty) "".
Only on the Details pane you can find this Information:
======================================
- System
- Provider
[ Name] Microsoft-Windows-DNS-Server-Service
[ Guid] {71A551F5-C893-4849-886B-B5EC8502641E}
[ EventSourceName] DNS
- EventID 4015
[ Qualifiers] 49152
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2013-12-10T19:48:17.000000000Z
EventRecordID 2456
Correlation
- Execution
[ ProcessID] 0
[ ThreadID] 0
======================================
The Migration was made by the following steps:
Bring Up the first 2012 MigrationDC as 3rd DC to the Domain.
Move the FSMO Roles to the 2012 MigrationDC
DHCP Data migrated with Server Migration Tools, IAS Data with iasmigrader.exe exported
DCPromo DC1 (2003 R2) and Format C:
Install a fresh 2012 Installation on old DC1 an rename it again with the original Name DC1
DHCP Data migrated with Server Migration Tools, IAS Data with iasmigrader.exe exported
DCPromo DC2 (2003 R2) and Format C:
Install a fresh 2012 Installation on old DC2 an rename it again with the original Name DC2
Move Back the FSMO Roles to DC1
DCPromo the first 2012 MigrationDC
Metadata Cleanup for MigrationDC
DCDIAG /V /C Shows no Errors, all works good, the funny Thing is, that only DC1 Shows the DNS EventId 4015 in production evironment. The only exception is, that if you reboot DC1 (i.e. for maintenance, upates etc) than the error appears on DC2. Exactly on
that time, if DC1 is temporarily not availble and DC2 is under "load". If DC1 is back again, the Event 4015 Ends on DC2 and Comes back to DC1!!!
I backupped and restored DC1 and DC2 in an lab Environment, the funny Thing is that the EventID 4015 doesnt appear in lab Environment. The difference between prod and lab is: prod is bare metal with 2 teamed nics, lab is hyper-v vm's with 2 virtual teamed
nics. same IP's etc... DNS NIC Settings are the same.
It Looks like you can only produce the error in the production lab if you have the DC under "load".
This Event was discussed here more than one time in the Forum, but the issues doesnt match 100% to my Problem. No RODC is available in my prod Environment, the EventID 4015 has no further Errors "" in the Eventlog like in other Posts.
Ace Fekays blog :" Using ADSI Edit to resolve conflicting or duplicate AD Integrated Zones" was helpful for metadata cleanup, but it could not fix the EventId 4015 away. Because we had no Problems with disappearing zones...
Maybe Enabling NTDS Verbose Logging in the registry is helpful, but i dont know for what i have to Keep an eye out?
The thread
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c0d3adb4-67d2-470c-97fc-a0a364b1f854/dns-server-error-event-id-4015-after-replacing-domain-controller-with-another-using-same-name?forum=winserverDS seems to match to my Problem, but also no
soulution available...
Any ideas what causes this "ugly" Event without noticable consequences?Zonenname
Typ
Speicher
Eigens
chaf
ten
Cache
AD-Domain
_msdcs.our-domain-name.com
Primary
AD-Forest
Secure
0.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
1.1.10.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
1.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
1.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
10.10.10.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
10.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
11.10.10.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
11.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
11.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
11.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
11.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
11.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
128.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
13.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
13.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
13.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
13.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
130.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
15.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
15.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
15.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
15.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
15.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
15.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
16.10.10.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
16.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
16.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
17.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
17.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
17.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
17.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
17.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
17.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
19.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
19.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
19.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
196.169.193.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
2.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
20.10.in-addr.arpa
Primary
AD-Domain
Secure
Rev
20.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
200.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
21.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
21.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
21.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
23.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
23.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
23.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
23.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
239.24.217.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
25.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
25.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
25.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
25.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
252.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
252.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
252.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
252.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
252.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
252.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.26.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
253.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
254.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
255.10.10.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
27.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
27.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
27.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
29.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
29.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.26.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
3.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
31.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
31.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
32.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
33.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
35.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
37.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
39.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
41.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
43.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
45.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
47.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
49.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.19.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
5.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
50.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
51.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
52.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
53.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
54.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
55.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
60.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
62.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
64.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
7.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
70.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
80.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
88.168.192.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.18.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.21.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.22.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.23.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.24.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.25.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.29.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
9.30.172.in-addr.arpa
Primary
AD-Domain
Secure
Rev
Aging
our-domain-name.com
Primary
AD-Domain
Secure
Agi
ng
TrustAnchors
Primary
AD-Forest -
Hi,
I'm looking migrate an AD from windows server 2003 to windows server 2012 but i can't find all the requirement to do it.
I find that my Domain and Forest level have to be at least 2003 but anything else.
I will thanks any information to make successfully the migration.Hello,
First of all, you have to upgrade to AD DS 2012: http://www.windowsitpro.com/article/scripting-tools-and-products/windows-server-2012-simplifies-active-directory-upgrades-deployments-143654
Once upgraded, you will be able to introduce new DCs running Windows Server 2012.
You have to promote your new DCs as DNS and GC servers and transfer all FSMO roles to them: http://support.microsoft.com/kb/255504
Once done, you will be able to demote all DCs. Of course, do the needed checks using
dcdiag and repadmin before proceeding.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
How to migrate DNS, DHCP Server from 2003 to 2012
Hi all,
I have one old server running server 2003, and i need to migrate the dns and dhcp server to server 2012.
I found all the articles, there are only migrate from 2003 to 2008 or 2008 to 2012.
Is there anyway to migrate it?
Thanks.Really confused why the "answer" to this thread states it can't be done, when clearly it can. This is the official approach (article dated Oct 2013):
Migrate DHCP Server to Windows Server 2012 R2
Within, you'll see that it says:
This guide provides instructions for migration of a DHCP server from a server that is running Windows Server 2003 or a later operating system to a server running Windows Server 2012 R2. Supported operating systems are listed in the following table.
Mike Crowley | MVP
My Blog --
Planet Technologies -
Migrating enterprise root CA from 2003 to 2008R2 - specific situation
So i have following setup:
Windows 2003R2 SP2 - owning all FSMO roles, root CA
Windows 2003R2 SP2 - DC
I want to upgrade domain to Windows 2008 R2 and migrate root CA. Since for CA migration it is essential that i preserve the same name what would be high level order of actions?
1) move FSMO roles to 2nd win2k3 DC
2) backup CA
3) depromo and remove server from domain
4) join win2k8r2 to the domain under same name
5) restore CA on it
6) prepare forest/domain
7) DC promo
8) transfer FSMO roles
9) depromo and remove old servers
OR
1) move FSMO roles to 2nd win2k3 DC
2) join win2k8r2 to the domain
3) backup root CA
4) prepare forest/domain
5) depromo and remove ex win2k3 server from domain
6) rename win2k8 so it matches removed server
7) restore CA on it
8) DC promo
9) transfer FSMO roles
10) depromo and remove old servers
Biggest question is should I DC promo 1st and then restore CA or other way around?I migrated but i have few small issues:
1) after i restored backup i can't see issued certificates
2) In certmgr.mcs when i do Automatically enroll and retrieve certificates no templates are available but when i go to personal container and request certificate i see templates and i my cert requests finishes fine. Also i tried auto enrol over IIS work
and over web form also works.
There is 1 more confusing step from this guide http://technet.microsoft.com/pt-pt/library/ee126140(v=ws.10).aspx#BKMK_RestoreReg
If the target CA's computer name is different from the source CA's computer name, search the file for the host name of the source CA computer. For each instance of the host name found, ensure that it is the appropriate value for the target environment. Change
the host name, if necessary. Update the CAServerName value.
Importante
If the host name is located in the .reg file as part of the CA name, such as in the Active value within the Configuration key or the CommonName value within the CAName key,
do not change the setting. The CA name must not be changed as part of the migration. This means the new target CA must have the old CA's name, even if part of that name is the old CA's host name.
So do i change it since my new CA has new name or not? I did change is but not sure what is the effect since i did not change Common name and Active value which contains old CA name.
Comments? -
Hello
I am in the process of writing up the project plan for our company's upcoming migration off of our current Windows 2003 fileserver and on to Windows 2012. This is going to be a basic print/file server attached to a domain, with no real special requirements
beyond perhaps dfs. There will be a large number of department directories as well as individual user folders that will need to be moved and I want to, as much as possible, guard against permissions being scrambled in the transition. Here are my questions
- 1) Is there a good guide to such a migration somewhere to utilize as a reference, 2) what are best practices for keeping permissions intact through such a migration?
Thanks for any input!Hi,
Agree with SMFX you can use migration tool, here providing the link to download Migrating Tools and link for Server 2012. Please go through beneath link.
1. Install, Use, and Remove Windows Server Migration Tools
2. Migrate File and Storage Services to Windows Server 2012
Hope it helps!
Thanks. -
Migrating the CA from 2008 to 2012 PKI ?
Hi All,
I am using the HSM in my PKI environment and i performing the migration of CA from 2008 PKI to 2012 PKI. What i noticed is if the private key of CA is protected by OCS card then i don't see the CA certificate while running the Microsoft wizard at the
option of choose the existing certficate and private key but if i change the protection of private key to module or default protection then i am able to see the certificate and able to complete the migration.
So is there a way i can still do the migration of CA without changing the protection of private key from OCS to module or default protection ??
Puneet SinghHi Brian ,
I tried your solution but its not working please find the details below. Can you please let me know if i have missed anything while trying it .
Note : OCS card are PIN protected .
1) install the nCipher software. (Successfull)
2) Copy the %nfast_kmdata%\local folder and %nfast_kmdata%\config folders to the 2012 R2 server ( Sucessfull verified by
running enquiry and nfkminfo)
3) Import the CA certificate into the MY store (certutil -addstore my CA.crt) ( Successfull )
4) Re-attach the key (certutil -repairstore MY serialnumber)
( Sucessfull as i got the below output
C:\Program Files (x86)\nCipher\nfast\bin>certutil -repairstore MY "1d 37 f3 31 d
2 06 b5 9c 43 3a 59 d3 d8 a2 96 90"
MY "Personal"
================ Certificate 0 ================
Serial Number: 1d37f331d206b59c433a59d3d8a29690
Issuer: CN=ROOT-CA-SRC-CA
NotBefore: 2/7/2015 12:23 PM
NotAfter: 2/7/2020 12:29 PM
Subject: CN=ROOT-CA-SRC-CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 5a b6 38 e9 fd bb e4 1c c8 a2 a0 94 b7 ba 45 c0 44 3a 5b 9a
Key Container = ROOT-CA-SRC-CA
Provider = nCipher Security World Key Storage Provider
Private key is NOT exportable
Signature test passed
CertUtil: -repairstore command completed successfully.
5)
Run the installation wizard using the existing key pair (will now be visible) ( Failed : I started the wizard and i didn't see the cert
Please
find the screen shot below
Puneet Singh -
In my project am going to migrate windows server 2003 to 2012 r2 by using IIS 6.0? what are the parameters are changed and what are the parameters are not supported and what are the modules need to change?
Please give the related answer as soon as posssibule. that is more help for me?
Thanks,
vamsikrishna.1. This seems to be incomplete description.
2. You can enable legacy technologies while installing roles and features.
3. For application pool(s) you should consult respective developer/vendor team(s) for help.
Regards
Milos -
Hello,
We are migrating the ssis packages from 2005 to 2012.
I'm unable to convert Activex Script Task from 2005 vesrsion to 2012 because in 2012 version Activex Script Task doesn't exist.
Can anyone please let me know what is the alternative way to convert Activex Script Task from 2005 vesrsion to 2012?Hi Vinay9738,
Have you tried to upgrade the SSIS 2005 packages to SSIS 2012 packages by using the SSIS Package Upgrade wizard? In certain cases, ActiveX script in SSIS won’t work and we need to either modify the script or replace the ActiveX Script with stock SSIS
tasks. You can find the mapping between some most common patterns used in DTS ActiveX Script and SSIS native tasks from the following link:
http://help.pragmaticworks.com/dtsxchange/scr/ActiveX%20Script%20Task.htm
Here is also a useful link about how to convert ADODB object of ActiveX Script to SSIS tasks:
http://help.pragmaticworks.com/dtsxchange/scr/FAQ%20-%20How%20to%20convert%20ADODB%20object%20of%20ActiveX%20Script%20to%20native%20SSIS%20Task.htm
Regards,
Mike Yin
TechNet Community Support -
"Migrating" computer variables from 2007 to 2012
I'm in the process of migrating server clients from a 2007 to 2012 environment. The computer objects all have quite a few computer variables associated with the objects that are used during OSD task sequences.
When we do a "bare-metal" build, the computer objects are deleted and recreated, and the variables are re-populated from a reference source of truth on the new object. So no problem there.
For the migration though, I was going to install the CM2012 client (basically upgrade the client from 2007) on the servers which will then have them register with the CM2012 site. However when this happens the variables won't be applied to the 2012
computer object.
I have a few ideas to resolve this, but was wondering if anyone else had already dealt with this situation?
Some thoughts I was considering:
1: Orchestrator job that identifies "new" computer objects in 2012 and regenerates the variables from the source of truth
2. Powershell/WMI/VBScript that reads the variables from the 2007 computer object and "copies" them to the 2012 object
Any other thoughts or suggestions welcome
Scott.Thanks Torsten, I do appreciate the replies, but I will have to respectfully disagree with the question being answered perfectly.
I had asked "...was wondering if anyone else had already dealt with this situation?". I don't actually see how an answer of "I've never done this, but use powershell" is the perfect answer. This would also not serve to help any other
people that might come across this post looking for a similar solution. I had marked that post as "helpful", but did not "mark as answer" because it didn't actually offer anything beyond what my first post already stated.
However, I'm not looking to argue. I'll post any powershell scripts or other things I end up using to help anyone else who comes across this post. There are far too many posts in the TechNet forums that just seem to get automatically closed as answered
when there is no real answer provided. -
Active Directory Migration from 2003 to 2012 Process Flow
We are planning to migrate from Windows Server 2003 AD to Windows server 2012 Server for 6000 Users,
Can any one suggest on Following .
1)What is the Best and Safe Way to do Migration
2) What are the Precautions should take,
3) How much downtime it will take,
4) If migration Failed how we can revert to Earlier
5) How to do Migration Step by Step
Current Environment:
Domain Having One PDC(server 2003 R2) and 8 ADC(Server 2003 R2) in Different Locations
PDC having All FSMO Roles and Global Catalog
Exchange server 2007 was integrated to Active Directory
And some Application are integrated to Active Directory1) I would recommend you first run a test of the steps in test before you do this in production. Otherwise your production becomes test.
2) By doing in test, you have taken a large amount of the risk out of the upgrade since, in test you should be able to look for any unforseen issues. The easiest way to test is to build a virtual fence from production and clone the DC's and member
servers that you want to test against (This is assuming you are running in a virtual environment). Ensure that you production environment is error free.
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
3) There should be no downtime at all, you can just extend the schema and then promote a new 2012 DC (I would recommend R2 if you can).
4) Before you do the schema extension you should take 2 backups on two different DC's. Taking two gives you less of a chance of a problem if one of the backups fails.
5)
Take a backup
Extend the schema
Join the 2012 R2 servers to the domain
Add the ADDS role to the 2012 R2 member servers
Promote the 2012 R2 DC's
Transfer the FSMO roles to the 2012 R2 DC's (Not required but recommended)
If you want to retire the 2003 DC's, then you will need to make sure that any clients pointing to the 2003 DC's for DNS are pointing to other DC's.
If you do retire the 2003 then you can think about updating the DFL and FFL of the domain and forest.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.
Maybe you are looking for
-
"A serious error has occurred" when exporting
Please help!! i am going to export a 20mins video, but i try many times, when export till around 50%, a window pop up and said " sorry, a serious error has occurred that requires Adobe Premiere Pro to shut down" i try both premiere and encoder, also
-
Got myself in a bit of a muddle with scaling artwork... can someone help?
Hi, hoping someone can help. I'm mainly a web designer but am having to create some exhibition / large scale artwork which I've never done before. Anyhow, I've got myself in a bit of a pickle with my InDesign artwork - i'm working on some roller ban
-
Correlation without correlation initiate in receive
Hello all, I am writing a process which is waiting for at a receive activity. The problem is that the I need to correlate the input message with the current executing process. 1. Say there is a process which has a receive activity which initiates the
-
I didn't know you were supposed to delete your information when you might get your iPhone replaced...
-
Can wireless mini keyboard work with windows 8
Purchased wireless mini keyboard and couldnotgetit to work. Noticed after that it did not specify compatible beyond Win 7. Is there a patch or fix to work with windows 8?