Migrate and/or replace old cert server?
-
And if you are on 2008 R2, perfect time to consider moving to Samba4 instead of Windows.
-
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
We have that with ISE but I don't know if the certs are generated there or from something with the ISE server.
-
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
We already have a different server that has all of our FSMO roles, along with four other DCs besides this one, so we're good on the DC side of things.
One thing I'm worried about (mostly because of ignorance) is that, if I demote the server, it will cause some sort of issue with cert services, which could possibly cause issues with SharePoint.
Best case scenario would be that I could totally get rid of cert services and demote the server, SharePoint would keep working without any issues, and I could V2V this server and migrate it over to our ESXi enviroronment! (Prior to learning what I did about Hyper-V today, I would've said P2V :P)
-
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
-
We have our own CA.. Migration is pretty simple. Microsoft tells you exactly how to do it..
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx?f=255&MSPPError=-2147217396
-
@Shuey said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.
-
@StrongBad said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.
Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.
So I guess to be safe, I better build a new CA, migrate all the info from the old one to the new one, THEN I can hopefully safely remove the cert services and demote the DC. THEN I can V2V it and move it to our ESXi environment (Until I learn how to build a new SharePoint server and migrate our DB over to it, lol)
-
@Shuey said in Migrate and/or replace old cert server?:
@StrongBad said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.
Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.
Yeah, dont' do that. Just make a new one then, no need to V2V.
-
@StrongBad said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@StrongBad said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.
Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.
Yeah, dont' do that. Just make a new one then, no need to V2V.
I still need to do the V2V for what's left on it after I remove the CA and DC; SharePoint (because we want to re-purpose the old hardware with a clean slate)
-
@Shuey said in Migrate and/or replace old cert server?:
@StrongBad said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@StrongBad said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.
Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.
Yeah, dont' do that. Just make a new one then, no need to V2V.
I still need to do the V2V for what's left on it after I remove the CA and DC; SharePoint (because we want to re-purpose the old hardware with a clean slate)
I see. Then yes, pull those parts off first.
-
@scottalanmiller You haven't lost your mind, but the issue might be one of terminology. We use AD certificate services to push out machine certs, which (right now) we use with establishing VPN connections.
-
/sigh quote failure.
-
@EddieJennings said in Migrate and/or replace old cert server?:
@scottalanmiller You haven't lost your mind, but the issue might be one of terminology. We use AD certificate services to push out machine certs, which (right now) we use with establishing VPN connections.
Dang, yet another good example! I guess I gotta keep doing more research so I can at least get more familiar with the reasons for having/using one, and see where/how that plays into our environment.
-
Something I've not been able to verify: Is it safe to demote the DC before backing up and/or migrating the cert services? If so, I'm going to demote it and do the V2V. This will still give me time to chip away at the cert side of this project while also being able to re-purpose the old hardware.
-
@Shuey said in Migrate and/or replace old cert server?:
Something I've not been able to verify: Is it safe to demote the DC before backing up and/or migrating the cert services? If so, I'm going to demote it and do the V2V. This will still give me time to chip away at the cert side of this project while also being able to re-purpose the old hardware.
Looks like I found my answer to this portion:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/d922860b-c8cd-4ed5-9b0b-05391c18afc0/demoting-a-domain-controller-with-a-ca-on-it?forum=winserversetup -
I've had certificate services stopped and disabled for the last two weeks (in case anyone rebooted the server). I've not seen or heard of any issues, so I wanted to ask again: Do you think it's safe enough now for me to remove the cert services role from the server? Is there anything I might still be missing or haven't thought of?
-
@Shuey said in Migrate and/or replace old cert server?:
I've had certificate services stopped and disabled for the last two weeks (in case anyone rebooted the server). I've not seen or heard of any issues, so I wanted to ask again: Do you think it's safe enough now for me to remove the cert services role from the server? Is there anything I might still be missing or haven't thought of?
It is completely safe if you are sure that no other applications are requiring local certs any longer.
Just make a stand alone backup of the CA, just in case.
https://technet.microsoft.com/en-us/library/cc725565(v=ws.11).aspx -
@JaredBusch Thanks for the reply and info Jared!
-
Good times... I first followed Microsoft's instructions to revoke any existing certs with a "cease of operation", and then removed the role. Before the reboot, I was prompted with this error:
I included in the screenshot the command that I ran, which also gave an error...
I'm going to reboot the server, but I'm not feeling great about this so far, lol.
-
@Shuey said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.
If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.
Well it's often (and IMPE) way more painful, especially if you do stupid things such as power the DC back on while you are trying to import it to your new hypervisor.
It can work so long as you have other DC's that can handle the functions. Just disable the AD services on the DC first, and then V2V (or export) and go from there.
