cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Install CA from scratch, already have an existing one

csangalli01
Copper Contributor

‎May 03 2023 03:34 AM - edited ‎May 03 2023 06:38 AM

‎May 03 2023 03:34 AM - edited ‎May 03 2023 06:38 AM

Install CA from scratch, already have an existing one

Dear all,

I'm moving my domain controller from Windows Server 2012 R2 to Windows Server 2022.

I already moved all FSMO roles, DHCP and DNS services.

On the old domain controller I also had certification authority service.

I already found a guide that explain how to move this service, but it keeps the CA name and I prefer to start from the scratch.

 

Is it possible to completely uninstall the old CA from the old domain controller and install the CA service on a new dedicated virtual machine?

Which would be the impact to the PC joined to the domain (Windows 7 and Windows 10)?

 

I need CA only for LDAPS queries.

 

Thanks and regards,
Cristian

1,380 Views
0 Likes
10 Replies
Reply
10 Replies
best response confirmed by csangalli01 (Copper Contributor)
eliekarkafy

‎May 03 2023 09:05 AM

‎May 03 2023 09:05 AM

Solution

Re: Install CA from scratch, already have an existing one

Yes, you can install the CA role on a new dedicated virtual machine from scratch. it will not affect your joined PCs domain at all.

make sure if you have some templates created before on your CA and you need them on your new CA to mimic them

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
1 Like
Reply
csangalli01

‎May 03 2023 11:29 PM

‎May 03 2023 11:29 PM

soRe: Install CA from scratch, already have an existing one

Thanks for your kind reply,
I confirm that I don't have any templates created before.


So, the steps to take are:

  • completely uninstall Certification Authority role from the old Domain Controller
  • reboot the old Domain Controller
  • install the CA role on the new dedicated virtual machine
  • demote the old domain controller

Am I right?

0 Likes
Reply
eliekarkafy

‎May 03 2023 11:35 PM

‎May 03 2023 11:35 PM

Re: soRe: Install CA from scratch, already have an existing one

Correct, make sure that if your old domain controller hold the FSMO roles you need to move them before you sunset the server
1 Like
Reply
Alban1998

‎May 04 2023 12:44 AM

‎May 04 2023 12:44 AM

Re: Install CA from scratch, already have an existing one

Hello,
You may have multiple PKI working side-by-side within the same Active Directory without issues, so you can even install the future one before removing the old one, as long as you distribute corresponding certificates in time.
Keep in mind a single server PKI (Tiers 1) isn't supported by Microsoft on production environments - you must implement a Tiers 2 or 3 PKI to match their prerequisites.
0 Likes
Reply
csangalli01

‎May 04 2023 01:14 AM

‎May 04 2023 01:14 AM

Re: Install CA from scratch, already have an existing one

Thank you for the clarification.
Considering that is a small domain with 5/6 virtual server and more or less 10 clients, a 2 Tiers would be probably pointless for our needs.

I have a doubt: the domain is member of a forest, together with other 4 domains.
Can this have an impact on the CA service activity?
0 Likes
Reply
Alban1998

‎May 04 2023 01:46 AM

‎May 04 2023 01:46 AM

Re: Install CA from scratch, already have an existing one

Yes, if other domains also rely on the old PKI. You will need to audit each domain for certificate usage, and update them if necessary.
Tiers 1 PKI are very easily compromised, and it's compromised, so is your entire forest. If you need to manage a very small number of clients, a public certifcate may be a better option.
0 Likes
Reply
csangalli01

‎May 04 2023 01:58 AM - edited ‎May 04 2023 01:59 AM

‎May 04 2023 01:58 AM - edited ‎May 04 2023 01:59 AM

Re: Install CA from scratch, already have an existing one

Ok, the configuration actually is that each domain has it's own CA installed on the domain controller.
We don't have needs for certificates exchange from one domain to the other.
Actually, the only need that we have is being able to query our Active Directory via LDAPS (each domain with is own CA).
0 Likes
Reply
Alban1998

‎May 04 2023 02:05 AM

‎May 04 2023 02:05 AM

Re: Install CA from scratch, already have an existing one

Then you will have the same issue on every domain - mixing AD DS and AD CS role is not supported, and will prevent you from migrating your domain controllers until you uninstall AD CS.
For short-term, your migration plan is solid. For long-term, you may want to review your current Active Directory architecture :
By example, you could use a single PKI for the entire forest. Or merge all domains into a single one, if each of them holds a very limited number of clients.
0 Likes
Reply
csangalli01

‎May 04 2023 02:11 AM

‎May 04 2023 02:11 AM

Re: Install CA from scratch, already have an existing one

Yes you're right, our plan is to migrate all domain controllers in all domains to Windows Server 2022 and split DC from CA service.

 

It's really interesting the opportunity of having a single CA for the whole forest.

Do you have any link for checking how to do it?

0 Likes
Reply
Alban1998

‎May 04 2023 05:10 AM

‎May 04 2023 05:10 AM

Re: Install CA from scratch, already have an existing one

Not much is required, as domains will automatically trust each others, and DNS solvers should also do the work. Check required certificate template permissions changes and CA availability requirements on Microsoft documentation.
You may also try to build your forest PKI right now, and slowly migrate your domains on it.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by csangalli01 (Copper Contributor)
eliekarkafy

‎May 03 2023 09:05 AM

‎May 03 2023 09:05 AM

Solution

Re: Install CA from scratch, already have an existing one

Yes, you can install the CA role on a new dedicated virtual machine from scratch. it will not affect your joined PCs domain at all.

make sure if you have some templates created before on your CA and you need them on your new CA to mimic them

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

View solution in original post

1 Like
Reply