I need to remove all certificate services from AD and then setup a new CA
-
Current situaiton:
I have a new server 2012 that was joined to the old SBS2008 domain.
The new server was made a domain controller and gracefully transferred the FSMO roles.
DHCP, printer, shares, etc. were manually recreated.
I installed certificate services on the new DC and imported the old certificate (because I had exported it).
Virtual Machine Connection will not connect because it cannot find a valid CA.
Hyper-V manager itself works just fine.
-
Would it be best to remove the CA, purge active directory and then add a new CA?
Will I end up with client access issues?
The old SBS server is offline and I would prefer to keep it that way. All other services are working.
Tomorrow, the first thing I will do when I arrive on site is dump the current RAID array on the old server so the old DC will at that point be 100% gone with no valid backups.
-
Did you fully migrate away from SBS?
-
To make things even more fun, the original certificate expired today.
so I right clicked and reissued.
-
@Dashrender said:
Did you fully migrate away from SBS?
@JaredBusch said:
The new server was made a domain controller and gracefully transferred the FSMO roles.
-
@JaredBusch said:
Will I end up with client access issues?
Were any Certs used for anything like 802.1x etc.? AD does not use Certs or the CA for most authentication so normal domain commuication should not be affect with clients by the lack of a CA.
-
Did you update GPO to reflect the new server info?
https://technet.microsoft.com/en-us/library/cc947849(v=ws.10).aspx -
@JaredBusch said:
@Dashrender said:
Did you fully migrate away from SBS?
@JaredBusch said:
The new server was made a domain controller and gracefully transferred the FSMO roles.
This does not mean a full migration.
-
@thecreativeone91 said:
@JaredBusch said:
Will I end up with client access issues?
Were any Certs used for anything like 802.1x etc.? AD does not use Certs or the CA for most authentication so normal domain commuication should not be affect with clients by the lack of a CA.
This was an SBS install, so the original CA was setup as part of that default install.
There is nothing special on the network for authentication that needs a cert.Until I had a problem with the VMC, I did not even have the CA installed on the new DC.
I installed the CA yesterday as noted above and still had the problem. I booted the SBS server back up and VMC worked again. I shut it back down in order to resolve this.
-
@Dashrender said:
This does not mean a full migration.
Actually, it pretty much does, the SBS server will only run for 21 days after the FSMO roles have migrated, so that should always be the last step other than demoting itself.
-
@GregoryHall said:
Did you update GPO to reflect the new server info?
https://technet.microsoft.com/en-us/library/cc947849(v=ws.10).aspxNo, checking this out now, thanks.
-
-
@JaredBusch said:
@thecreativeone91 said:
@JaredBusch said:
Will I end up with client access issues?
Were any Certs used for anything like 802.1x etc.? AD does not use Certs or the CA for most authentication so normal domain commuication should not be affect with clients by the lack of a CA.
This was an SBS install, so the original CA was setup as part of that default install.
There is nothing special on the network for authentication that needs a cert.Until I had a problem with the VMC, I did not even have the CA installed on the new DC.
I installed the CA yesterday as noted above and still had the problem. I booted the SBS server back up and VMC worked again. I shut it back down in order to resolve this.
It sounds like you have two root CA's and the Certs are still coming from the old CA.
-
@JaredBusch said:
@Dashrender said:
This does not mean a full migration.
Actually, it pretty much does, the SBS server will only run for 21 days after the FSMO roles have migrated, so that should always be the last step other than demoting itself.
Well you have 21 days. but the BP is to uninstall Exchange from SBS, demote the SBS and then unjoin it from the domain before the 21 days are up.
-
@GregoryHall said:
@JaredBusch https://technet.microsoft.com/en-us/library/dd807084.aspx
That is easy now that I know I missed the step.
The hard part now is finding which SBS policy pushed it out and updating it.
-
@thecreativeone91 said:
Well you have 21 days. but the BP is to uninstall Exchange from SBS, demote the SBS and then unjoin it from the domain before the 21 days are up.
I have until I arrive tomorrow to complete the demote and unjoin.
-
@JaredBusch http://www.bursky.net/index.php/2012/02/disable-sbs-migration-grace-period-expiration/
Disable the grace period check it will buy you more time if needed. -
@GregoryHall said:
@JaredBusch http://www.bursky.net/index.php/2012/02/disable-sbs-migration-grace-period-expiration/
Disable the grace period check it will buy you more time if needed.No, the hardware is failed. The grace period is not the problem.
But from the looks of this I can fix the CA regardless of the old DC being online.
The only thing this impacts is me being able to open a console from the Hyper-v manager.
Still want it fixed before tomorrow though..
-
@GregoryHall said:
@JaredBusch http://www.bursky.net/index.php/2012/02/disable-sbs-migration-grace-period-expiration/
Disable the grace period check it will buy you more time if needed.That doesn't work on SBS 2008 as there is no sbscrexe.exe and the grace period works differently.
-
Or I can update the DNS settings on the Hyper-V server to point to the new DC.
Then everything starts working like magic.
#simplethings
