AD CS Upgrade and Migration Overview

Actualizado: mayo de 2008

Se aplica a: Windows Server 2008

Organizations interested in deploying Active Directory® Certificate Services (AD CS) may encounter a variety of questions while planning for and implementing the upgrade from a public key infrastructure (PKI) installed on an earlier Windows version. As part of the upgrade, organizations may want to migrate to new hardware, consolidate servers, implement new naming schemes or installation options, or otherwise change the configuration of their certification authority (CA) hierarchy, while preserving required configuration, historical data, and pending transactions.

This document discusses the planning and implementation of an upgrade and migration from an existing Windows-based PKI to AD CS. It describes in detail some common migration scenarios, identifies what is supported and what is recommended, and provides step-by-step instructions for the most common tasks. It also offers general guidance on how to create an upgrade and migration plan for your environment.

Certificate Services Terminology

The following terms are used in this document.

  • Active Directory Certificate Services. The server role in Windows Server® 2008 that provides the certificate infrastructure to enable scenarios such as secure wireless networks, Internet Protocol security (IPsec), Network Access Protection (NAP), Encrypting File System (EFS), and smart card logon.

  • Certification authority (CA). The AD CS role service that is used to issue and manage certificates. A PKI can include multiple CAs.

  • CA Web enrollment. The AD CS role service that provides a simple Web interface that allows users to perform tasks such as request and renew certificates, retrieve certificate revocation lists (CRLs), and enroll for smart card certificates.

  • Online Responder. The AD CS role service that implements the Online Certificate Status Protocol (OCSP) in Windows Server 2008.

  • Network Device Enrollment Service. The AD CS role service that implements the Simple Certificate Enrollment Protocol (SCEP).

  • Upgrade. The process of changing the underlying Windows version of an existing CA computer to a newer release. Usually, configuration settings are preserved during an upgrade and can be changed as part of normal configuration change management after the upgrade.

  • Migration. The process of moving an existing CA to a new environment while preserving CA functionality and certain CA-specific attributes. These attributes can include configuration settings required to support existing applications, historical and pending transactions, and the CA signing certificate and keys. Characteristics that are not specific to the CA (such as computer name) and CA properties (such as stand-alone versus enterprise CA type) may be changed in some migrations.

Adiciones de comunidad