Click here to get back home

move enterprise root ca
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
move enterprise root ca Patrik Nagel 09-13-2006
Posted by Patrik Nagel on September 13, 2006, 8:09 am
Please log in for more thread options
 Is it possible to move (backup/restore) an enterprise root ca in case of
a system or hardware crash to a server with a *different name*? Is there
a white paper available?
The problem is, that in case of a system or hardware failure the W2003
Enterprise Server(which also act as a DC) with Certificate Services
installed have to brought up again before the (delta) CRL expires. It
might be necessary to move the enterprise root ca shorty to another
running server.
All Clients are using Smartcard Logon Certificates...

Thanks in advance
Patrik


Posted by Brian Komar [MVP] on September 13, 2006, 6:13 pm
Please log in for more thread options
 patrik.nagelREMOVE@THISsep.ch says...
> Is it possible to move (backup/restore) an enterprise root ca in case of
> a system or hardware crash to a server with a *different name*? Is there
> a white paper available?
> The problem is, that in case of a system or hardware failure the W2003
> Enterprise Server(which also act as a DC) with Certificate Services
> installed have to brought up again before the (delta) CRL expires. It
> might be necessary to move the enterprise root ca shorty to another
> running server.
> All Clients are using Smartcard Logon Certificates...
>
> Thanks in advance
> Patrik
>
>
You cannot move an enterprise CA to a computer with a different domain and/or
computer name
(just as the dialog box warned you when you installed certificate services).

You can load the private key (if avaailable) at another box and resign the crl.
Look up the information when you type certutil -sign -?

Brian

Posted by Patrik Nagel on September 14, 2006, 8:50 am
Please log in for more thread options
Hello Brian

Brian Komar [MVP] wrote:
> You can load the private key (if avaailable) at another box and resign the crl.
> Look up the information when you type certutil -sign -?
Ok, but can I publish the new signed crl with the same name in AD that
the clients can locate it with the defined ldap url (CDP) in the issued
certificates?

[Disaster Recovery]
We have implemented a Single-Tier hierarchy. The Enterprise Root CA is
issuing mainly certificates for Smartcard Logon and VPN Remote Access.
What happens if the CA goes down? As I understand things correct, no
more certificates can be issued. But the users can still logon (more
than one DC is available) as long as the CRLs are valid. Right?

A test has shown, that the users can still login (online) even if the
delta crl (in the local cache and AD) is expired. The minimum base crl
(marked as critical in the extensions) is also available.
When does the smartcard login stop working? Has the base crl also become
invalid (expired)??

What are the best practices for Enterprise CA fault tolerance? I can't
find a useful white paper. Users should be still able to login even if
the CA Server is not available so that we have time to repair the broken
CA Server. Of course, during this time we aren't able to issue new
certificates.

Many thanks for any advice!
Patrik

Similar ThreadsPosted
Re: Move Enterprise CA server December 18, 2007, 8:48 am
Migrate Enterprise root authority CA to stand-alone root CA December 13, 2005, 7:57 am
Stans-alone root CA or Enterprise root CA August 31, 2006, 6:32 pm
More than one enterprise root CA in a forest? January 18, 2006, 4:13 am
Installing Enterprise Root CA March 3, 2007, 10:00 am
Moving Enterprise Root CA March 22, 2007, 11:05 am
Re-Configuring LDAP CDP on Enterprise Root CA February 17, 2007, 1:31 am
EFS concerns before removing enterprise root CA March 23, 2007, 8:59 am
0x424 (WIN32: 1060) in Enterprise Root CA June 6, 2005, 9:03 am
Enterprise Root Certification Authority not trusted February 16, 2006, 2:07 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap