Migrate and/or replace old cert server?
-
I've been administering a network that I took over about 4 years ago, and I'm at another hurdle that I need to figure out. We have a single Windows 2008 R2 server that currently acts as a DC, our cert server, and our SharePoint server (which has outside access configured so our staff can access it from home to check schedules for instance).
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
-
What I'd like to do is setup a new cert server (one that can either "take over" by simply becoming the "new cert server", or by migrating the info from the old server to the new / and I currently have no idea which of those scenarios is possible or best practice).
-
I'd also like to demote this server so it's no longer a DC (but from what I've read online so far, if a DC is also a cert server, demoting it can cause issues if the cert services aren't migrated or removed first).
-
Finally, I'd like to eventually build a new replacement SharePoint server, BUT, in the meantime, I was considering doing a P2V of what's left of this server (essentially just an old SharePoint server) that we can host in our current VMware infrastructure, and then I can re-purpose the hardware that it used to be hosted on. Replacing SharePoint will be another project all on its own, especially since I know nothing about SharePoint installation, configuration, etc.
I'm really excited to take on these projects! I just need to overcome some of my initial fears of what seem like scary projects since I'm so green in these areas. My initial research has been overwhelming, so I'm trying to take my time and tread carefully.
Any advice or direction is greatly appreciated!
-
-
@Shuey I don't know your whole environment, but if you are talking about SSL certs in IIS, you get them third party (godaddy, cheapssl.com, etc) so you don't need certificate services for that.
To see what you're currently using, there are a few ways to do that. The easiest is to open the https version of your share point site, and click on the lock in the browser. Then click details and view certificate. If it's third party, it will tell you who issued it. If it was generated by your server, it will say the name of the server there.
-
Thanks Mike! You raise a good question: "Why do I need a cert server?" or "What is this server role/feature currently facilitating?".
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from. But I'm not sure why exactly (other than the assumption of a layer of security when accounts communicate with the server(s)).
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
-
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Pretty rare, I'm not sure that I've ever seen it.
-
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
-
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
-
@Shuey said in Migrate and/or replace old cert server?:
But I'm not sure why exactly (other than the assumption of a layer of security when accounts communicate with the server(s)).
I'm going to go with "no" here.
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@Shuey I don't know your whole environment, but if you are talking about SSL certs in IIS, you get them third party (godaddy, cheapssl.com, etc) so you don't need certificate services for that.
To see what you're currently using, there are a few ways to do that. The easiest is to open the https version of your share point site, and click on the lock in the browser. Then click details and view certificate. If it's third party, it will tell you who issued it. If it was generated by your server, it will say the name of the server there.
In most cases today, use LetsEncrypt for free. We are using it and it is great. Jared uses it too.
-
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
Your guess is as good as mine, lol. I know it's not a good business practice, but "bad business practices" at my company are kinda like cereal and milk; they have always gone together for as long as I've known. Here's a great example reference: We have two main datacenters, which my boss refers to as "the cold room" (LOL). One of the datacenters is shared with a janitor's closet, and there's no lock on the door! Yep, literally hundreds of thousands of dollars worth of equipment that anyone in the entire building could access without restriction (one of the big dollar items in this "cold room" is an EMC SAN!!). Despite the fact that I've told my boss and upper management that this is crazy, they have done nothing to change it. Another example: The datacenter at one of our other sites has a crazy ghetto "cooling system" (if that's what you wanna call it). Prior to getting an air conditioner installed in this server room, the way they used to cool it was to open the server room door and put several floor fans in their blowing the hot air out (and that's STILL what they do when the air conditioner dies!) - and this "cold room" also has an EMC SAN!!! O_o
-
@Shuey and then there is the other issue... why there a SAN?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
When I look at the Certification Authority console on the server, and I look at "issued certificates", I see line items like this:
"Request ID", "Requester Name", "Certificate Template", "Certificate Effective Date", "Certificate Expiration Date", etc, and I see a bunch of workstations listed. -
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
SANs don't provide speed, safety, ease of use or anything like that. So there is no common use case why any application would be supported by a SAN.
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
When I look at the Certification Authority console on the server, and I look at "issued certificates", I see line items like this:
"Request ID", "Requester Name", "Certificate Template", "Certificate Effective Date", "Certificate Expiration Date", etc, and I see a bunch of workstations listed.I wonder if you just shut it off if anything bad happens.
-
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
There is no service associated with it? How does that work?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
It doesn't appear that the cert services role on this server is communicating at all with our PACS servers (which we have no access rights to - our vendor only has access).
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
It doesn't appear that the cert services role on this server is communicating at all with our PACS servers (which we have no access rights to - our vendor only has access).
That was a disconnected thought
