Exportovat (0) Tisk
Rozbalit vše

Active Directory Certificate Services Migration Guide

Aktualizováno: červen 2012

Rozsah platnosti: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2012, Windows Storage Server 2008 R2

This document provides guidance for migrating a certification authority (CA) to a server that is running Windows Server® 2008 R2 from a server that is running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008. You can also migrate a CA from a server running Windows Server 2008 or Windows Server 2008 R2 to a server that is running Windows Server® vNext using these directions.

  • Administrators or IT operations engineers responsible for planning and performing CA migration to Windows Server 2008 R2 or Windows Server vNext .

  • Administrators or IT operations engineers responsible for the day-to-day management and troubleshooting of networks, servers, client computers, operating systems, or applications.

  • IT operations managers accountable for network and server management.

  • IT architects responsible for computer management and security throughout an organization.

This guide provides you with instructions for migrating an existing server that is running Active Directory® Certificate Services (AD CS) to a server that is running Windows Server 2008 R2 or Windows Server vNext . This guide does not contain instructions for migration when the source server is running multiple roles. If your server is running multiple roles, you should design a custom migration procedure that is specific to your server environment, based on the information provided in other role migration guides. To view migration guides for additional roles, see Migrate Server Roles to Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=128554).

notePoznámka
This guide can be used to migrate a CA from a source server that is also a domain controller to a destination server with a different name. However, migration of a domain controller is not covered by this guide. For information about Active Directory Domain Services (AD DS) migration, see Active Directory Domain Services and DNS Server Migration Guide (http://go.microsoft.com/fwlink/?LinkId=179357).

This guide supports migrations from source servers running the operating system versions and service packs listed in the following table. All migrations described in this document assume that the destination server is running Windows Server 2008 R2 or Windows Server vNext (either the full or Server Core installation option) on x64-based hardware.

 

Source server processor Source server operating system Destination server operating system Destination server processor

x86-based or x64-based

Windows Server 2003 with Service Pack 2

Windows Server 2008 R2, both full and Server Core installation options

x64-based

x86-based or x64-based

Windows Server 2003 R2

Windows Server 2008 R2, both full and Server Core installation options

x64-based

x86-based or x64-based

Windows Server 2008

Windows Server 2008 R2 or Windows Server vNext , both full and Server Core installation options

x64-based

x64-based

Windows Server 2008 R2

Windows Server 2008 R2 or Windows Server vNext , both full and Server Core installation options

x64-based

  • Procedures to upgrade to Windows Server 2008 R2 or Windows Server vNext

  • Procedures to migrate additional server roles

  • Procedures to migrate additional AD CS role services

In general, migration is not required for the following AD CS role services. Instead, you can install and configure these role services on computers running Windows Server 2008 R2 or Windows Server vNext by completing the role service installation procedures. For information about the impact of CA migration on other AD CS role services, see Impact of migration on other computers in the enterprise.

The CA migration procedures described in this guide include decommissioning the source server after migration is completed and CA functionality on the destination server has been verified. If the source server is not decommissioned, then the source server and destination server must have different names. Additional steps are required to update the CA configuration on the destination server if the name of the destination server is different from the name of the source server.

During migration, the CA cannot issue certificates or publish CRLs.

To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration.

Because the authority identification access and CRL distribution point extensions of previously issued certificates may reference the name of the source CA, it is important to either continue to publish CA certificates and CRLs to the same location or provide a redirection solution. For an example of configuring IIS redirection, see Redirecting Web Sites in IIS 6.0 (http://go.microsoft.com/fwlink/?LinkID=179366).

To install an enterprise CA or a standalone CA on a domain member computer, you must be a member of the Enterprise Admins group or Domain Admins group in the domain. To install a standalone CA on a server that is not a domain member, you must be a member of the local Administrators group. Removal of the CA role service from the source server has the same group membership requirements as installation.

The simplest CA migration can typically be completed within one to two hours. The actual duration of CA migration depends on the number of CAs and the sizes of CA databases.

Byl tento obsah pro vás užitečný?
(Zbývající počet znaků: 1500)
Děkujeme za váš názor.

Obsah vytvořený komunitou

Přidat
Zobrazit:
© 2014 Microsoft