Forum Discussion
csangalli01
May 03, 2023Copper Contributor
Install CA from scratch, already have an existing one
Dear all,
I'm moving my domain controller from Windows Server 2012 R2 to Windows Server 2022.
I already moved all FSMO roles, DHCP and DNS services.
On the old domain controller I also had certification authority service.
I already found a guide that explain how to move this service, but it keeps the CA name and I prefer to start from the scratch.
Is it possible to completely uninstall the old CA from the old domain controller and install the CA service on a new dedicated virtual machine?
Which would be the impact to the PC joined to the domain (Windows 7 and Windows 10)?
I need CA only for LDAPS queries.
Thanks and regards,
Cristian
- Yes, you can install the CA role on a new dedicated virtual machine from scratch. it will not affect your joined PCs domain at all.
make sure if you have some templates created before on your CA and you need them on your new CA to mimic them
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
- Alban1998Iron ContributorHello,
You may have multiple PKI working side-by-side within the same Active Directory without issues, so you can even install the future one before removing the old one, as long as you distribute corresponding certificates in time.
Keep in mind a single server PKI (Tiers 1) isn't supported by Microsoft on production environments - you must implement a Tiers 2 or 3 PKI to match their prerequisites.- csangalli01Copper ContributorThank you for the clarification.
Considering that is a small domain with 5/6 virtual server and more or less 10 clients, a 2 Tiers would be probably pointless for our needs.
I have a doubt: the domain is member of a forest, together with other 4 domains.
Can this have an impact on the CA service activity?- Alban1998Iron ContributorYes, if other domains also rely on the old PKI. You will need to audit each domain for certificate usage, and update them if necessary.
Tiers 1 PKI are very easily compromised, and it's compromised, so is your entire forest. If you need to manage a very small number of clients, a public certifcate may be a better option.
- Yes, you can install the CA role on a new dedicated virtual machine from scratch. it will not affect your joined PCs domain at all.
make sure if you have some templates created before on your CA and you need them on your new CA to mimic them
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.- csangalli01Copper Contributor
Thanks for your kind reply,
I confirm that I don't have any templates created before.
So, the steps to take are:- completely uninstall Certification Authority role from the old Domain Controller
- reboot the old Domain Controller
- install the CA role on the new dedicated virtual machine
- demote the old domain controller
Am I right?
- Correct, make sure that if your old domain controller hold the FSMO roles you need to move them before you sunset the server