Forum Discussion
Solved
Install CA from scratch, already have an existing one
Dear all, I'm moving my domain controller from Windows Server 2012 R2 to Windows Server 2022. I already moved all FSMO roles, DHCP and DNS services. On the old domain controller I also had certifi...
- Yes, you can install the CA role on a new dedicated virtual machine from scratch. it will not affect your joined PCs domain at all.
make sure if you have some templates created before on your CA and you need them on your new CA to mimic them
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
Thank you for the clarification.
Considering that is a small domain with 5/6 virtual server and more or less 10 clients, a 2 Tiers would be probably pointless for our needs.
I have a doubt: the domain is member of a forest, together with other 4 domains.
Can this have an impact on the CA service activity?
Considering that is a small domain with 5/6 virtual server and more or less 10 clients, a 2 Tiers would be probably pointless for our needs.
I have a doubt: the domain is member of a forest, together with other 4 domains.
Can this have an impact on the CA service activity?
Yes, if other domains also rely on the old PKI. You will need to audit each domain for certificate usage, and update them if necessary.
Tiers 1 PKI are very easily compromised, and it's compromised, so is your entire forest. If you need to manage a very small number of clients, a public certifcate may be a better option.
Tiers 1 PKI are very easily compromised, and it's compromised, so is your entire forest. If you need to manage a very small number of clients, a public certifcate may be a better option.
- Ok, the configuration actually is that each domain has it's own CA installed on the domain controller.
We don't have needs for certificates exchange from one domain to the other.
Actually, the only need that we have is being able to query our Active Directory via LDAPS (each domain with is own CA).- Then you will have the same issue on every domain - mixing AD DS and AD CS role is not supported, and will prevent you from migrating your domain controllers until you uninstall AD CS.
For short-term, your migration plan is solid. For long-term, you may want to review your current Active Directory architecture :
By example, you could use a single PKI for the entire forest. Or merge all domains into a single one, if each of them holds a very limited number of clients.Yes you're right, our plan is to migrate all domain controllers in all domains to Windows Server 2022 and split DC from CA service.
It's really interesting the opportunity of having a single CA for the whole forest.
Do you have any link for checking how to do it?