Install and restore the Certification Authority for Windows SBS 2011 Essentials migration
Published: March 10, 2011
Updated: May 4, 2011
Applies To: Windows Small Business Server 2011 Essentials
To install the Certification Authority
On the Destination Server, click Start, point to Administrative Tools, and then click Server Manager.
In the Roles Summary section, click Add Roles.
On the Before You Begin page, click Next.
On the Server Roles page, select Active Directory Certificate Services, and then click Next.
On the Introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment, and then click Next.
On the Specify Setup Type page, select Standalone, and then click Next.
On the Specify CA Type page, select Root CA, and then click Next.
On the Set Up Private Key page, select Use existing private key, choose the Select a certificate and use its associated private key option, and then click Next.
On the Select Existing Certificate page, select the <ServerName>-CA certificate (where <ServerName> is the name of your Destination Server), and then click Next.
On the Configure Certificate Database page, select the default locations, or click Browse if you want to save the database or log file to a different location. Then click Next.
Confirm your selections, and then click Install.
When the wizard is finished, click Close, and then restart the server.
To restore the Certification Authority
Click Start, point to Administrative Tools, and then click Certification Authority.
In the Certification Authority console tree, right-click <ServerName>-CA (where <ServerName> is the name of your Destination Server), click All Tasks, and then click Restore CA.
If you are asked to stop Active Directory Certificate Services, click OK.
The Certification Authority Restore Wizard is run. Click Next on the Welcome page of the wizard.
On the Items to Restore page, select Private key and CA certificate and Certificate database and certificate database log, type or browse to C:\CA_Backup, and then click Next.
Note
For an incremental restore, first select the full backup file and complete the wizard. Then re-run the wizard, selecting subsequent incremental backup files.
On the Provide Password page, type a password for gaining access to the private key and the CA certificate file, and then click Next.
When the wizard has completed, click Finish.
You are asked if you want to start Active Directory Certificate Services. If you have additional incremental backups to restore, click No to re-run the wizard and continue restoring. If restoration is complete, click Yes to start Active Directory Certificate Services.
Configure CRL distribution list
Click Start, point to Administrative Tools, and then click Certification Authority.
Right-click the server and click Properties.
Click the Extensions tab.
In the list displayed, click the entry https://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl and ensure the following options are selected.
Include in CRLs. Clients use this to find the Delta CRL location.
Include in the CDP extension of issued certificates.
Click Add, and in the location field type https://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl
Click OK.
Under the Extensions tab, click the entry https://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl and ensure that the following options are selected:
Include in CRLs. Clients use this to find the Delta CRL location.
Include in the CDP extension of issued certificates.
Click OK to save your changes.
When you are asked to restart Active Directory Certificate Services, click Yes.
Next topic: Transfer the operations master roles for Windows SBS 2011 Essentials migration
Previous topic: Install Windows SBS 2011 Essentials in migration mode for Windows SBS 2011 Essentials migration