ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Migrate and/or replace old cert server?

    Scheduled Pinned Locked Moved IT Discussion
    121 Posts 13 Posters 19.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in Migrate and/or replace old cert server?:

      @scottalanmiller said in Migrate and/or replace old cert server?:

      @Dashrender said in Migrate and/or replace old cert server?:

      @scottalanmiller said in Migrate and/or replace old cert server?:

      @Shuey said in Migrate and/or replace old cert server?:

      @Dashrender said in Migrate and/or replace old cert server?:

      @Shuey said in Migrate and/or replace old cert server?:

      -They installed the Hyper-V role which runs as a console (much like VMware Workstation; type 2 hypervisor)
      No actually it doesn't.

      You lost me here... a Type 1 hypervisor is a "on hardware" hypervisor (exclusively running as the OS, like ESXi). A Type 2 hypervisor is an "on software" hypervisor (like VMware Workstation).

      Right. Hyper-V is a Type 1 with KVM, Xen and ESXi.

      Microsoft confuses people though the method that you use to get to the Type 1 from a standard installed Windows Server, i.e. installing the Hyper-V service. This isn't just installing a service like installing FTP or IIS. It in fact creates a shim under the current OS that is the Hyper-V OS running directly on the hardware, with the previous Windows Server OS now being the first VM.

      Although to be fair, that's how VMware used to install and how Xen still does. It IS confusing, but they copied it from everyone else that existed at the time. To this day, only ESXi has changed this and only KVM never had it by default (and still does something kind of like it anyway.)

      I should add, that while VMWare used to and Xen still does using a DOM 0, I don't think they ever had you install a full OS, then turn around and enable something to make the Type 1 hypervisor become enabled. If you did an install, it was simply there.

      They did that, they just did it all under the hood so you didn't notice. Same way that XenServer and Hyper-V (non-role) do today.

      1 Reply Last reply Reply Quote 0
      • S
        Shuey
        last edited by

        I just checked the list of issued certs on the server and the last entry (180530) was on May 23rd of 2016... I wonder why it stops there.... I can't think of anything on the server or the rest of the network for that matter that would've caused it to end in May...

        I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

        scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Shuey
          last edited by

          @Shuey said in Migrate and/or replace old cert server?:

          I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

          Just suspect the VM.... oh wait, not a discrete VM. One of the many reasons why that is important 😉

          Sorry, had to go there.

          S DashrenderD 2 Replies Last reply Reply Quote 1
          • S
            Shuey @scottalanmiller
            last edited by

            @scottalanmiller said in Migrate and/or replace old cert server?:

            @Shuey said in Migrate and/or replace old cert server?:

            I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

            Just suspect the VM.... oh wait, not a discrete VM. One of the many reasons why that is important 😉

            Sorry, had to go there.

            LOL, touche! 😛

            1 Reply Last reply Reply Quote 1
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in Migrate and/or replace old cert server?:

              @Shuey said in Migrate and/or replace old cert server?:

              I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

              Just suspect suspend the VM.... oh wait, not a discrete VM. One of the many reasons why that is important 😉

              Sorry, had to go there.

              FTFY

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @Shuey
                last edited by

                @Shuey said in Migrate and/or replace old cert server?:

                I just checked the list of issued certs on the server and the last entry (180530) was on May 23rd of 2016... I wonder why it stops there.... I can't think of anything on the server or the rest of the network for that matter that would've caused it to end in May...

                I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

                What was it issued to? that might lead you somewhere.

                S 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Whoops

                  1 Reply Last reply Reply Quote 0
                  • S
                    Shuey @Dashrender
                    last edited by Shuey

                    @Dashrender said in Migrate and/or replace old cert server?:

                    @Shuey said in Migrate and/or replace old cert server?:

                    I just checked the list of issued certs on the server and the last entry (180530) was on May 23rd of 2016... I wonder why it stops there.... I can't think of anything on the server or the rest of the network for that matter that would've caused it to end in May...

                    I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

                    What was it issued to? that might lead you somewhere.

                    A user account. The last couple hundred certs were issued to user accounts and workstations.
                    If you guys have any ideas how to "safely turn it off" for a period of time (so I can see what happens), I'm all ears, lol.

                    Mike DavisM 1 Reply Last reply Reply Quote 0
                    • Mike DavisM
                      Mike Davis @Shuey
                      last edited by

                      If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                      S 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        And if you are on 2008 R2, perfect time to consider moving to Samba4 instead of Windows.

                        1 Reply Last reply Reply Quote 0
                        • stacksofplatesS
                          stacksofplates @Dashrender
                          last edited by

                          @Dashrender said in Migrate and/or replace old cert server?:

                          @Mike-Davis said in Migrate and/or replace old cert server?:

                          @scottalanmiller said in Migrate and/or replace old cert server?:

                          @Shuey said in Migrate and/or replace old cert server?:

                          Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?

                          Maybe I've lost my mind but... what is an "AD Account Certificate"?

                          You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.

                          The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.

                          While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.

                          We have that with ISE but I don't know if the certs are generated there or from something with the ISE server.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Shuey
                            last edited by

                            @Mike-Davis said in Migrate and/or replace old cert server?:

                            If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                            We already have a different server that has all of our FSMO roles, along with four other DCs besides this one, so we're good on the DC side of things.

                            One thing I'm worried about (mostly because of ignorance) is that, if I demote the server, it will cause some sort of issue with cert services, which could possibly cause issues with SharePoint.

                            Best case scenario would be that I could totally get rid of cert services and demote the server, SharePoint would keep working without any issues, and I could V2V this server and migrate it over to our ESXi enviroronment! (Prior to learning what I did about Hyper-V today, I would've said P2V :P)

                            1 Reply Last reply Reply Quote 0
                            • S
                              Shuey @Mike Davis
                              last edited by

                              @Mike-Davis said in Migrate and/or replace old cert server?:

                              If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                              If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                              StrongBadS DustinB3403D 2 Replies Last reply Reply Quote 0
                              • J
                                Jason Banned
                                last edited by

                                We have our own CA.. Migration is pretty simple. Microsoft tells you exactly how to do it..

                                https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx?f=255&MSPPError=-2147217396

                                1 Reply Last reply Reply Quote 1
                                • StrongBadS
                                  StrongBad @Shuey
                                  last edited by

                                  @Shuey said in Migrate and/or replace old cert server?:

                                  @Mike-Davis said in Migrate and/or replace old cert server?:

                                  If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                                  If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                                  Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.

                                  S 1 Reply Last reply Reply Quote 0
                                  • S
                                    Shuey @StrongBad
                                    last edited by

                                    @StrongBad said in Migrate and/or replace old cert server?:

                                    @Shuey said in Migrate and/or replace old cert server?:

                                    @Mike-Davis said in Migrate and/or replace old cert server?:

                                    If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                                    If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                                    Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.

                                    Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.

                                    So I guess to be safe, I better build a new CA, migrate all the info from the old one to the new one, THEN I can hopefully safely remove the cert services and demote the DC. THEN I can V2V it and move it to our ESXi environment (Until I learn how to build a new SharePoint server and migrate our DB over to it, lol)

                                    StrongBadS 1 Reply Last reply Reply Quote 0
                                    • StrongBadS
                                      StrongBad @Shuey
                                      last edited by

                                      @Shuey said in Migrate and/or replace old cert server?:

                                      @StrongBad said in Migrate and/or replace old cert server?:

                                      @Shuey said in Migrate and/or replace old cert server?:

                                      @Mike-Davis said in Migrate and/or replace old cert server?:

                                      If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                                      If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                                      Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.

                                      Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.

                                      Yeah, dont' do that. Just make a new one then, no need to V2V.

                                      S 1 Reply Last reply Reply Quote 0
                                      • S
                                        Shuey @StrongBad
                                        last edited by

                                        @StrongBad said in Migrate and/or replace old cert server?:

                                        @Shuey said in Migrate and/or replace old cert server?:

                                        @StrongBad said in Migrate and/or replace old cert server?:

                                        @Shuey said in Migrate and/or replace old cert server?:

                                        @Mike-Davis said in Migrate and/or replace old cert server?:

                                        If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                                        If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                                        Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.

                                        Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.

                                        Yeah, dont' do that. Just make a new one then, no need to V2V.

                                        I still need to do the V2V for what's left on it after I remove the CA and DC; SharePoint (because we want to re-purpose the old hardware with a clean slate)

                                        StrongBadS 1 Reply Last reply Reply Quote 0
                                        • StrongBadS
                                          StrongBad @Shuey
                                          last edited by

                                          @Shuey said in Migrate and/or replace old cert server?:

                                          @StrongBad said in Migrate and/or replace old cert server?:

                                          @Shuey said in Migrate and/or replace old cert server?:

                                          @StrongBad said in Migrate and/or replace old cert server?:

                                          @Shuey said in Migrate and/or replace old cert server?:

                                          @Mike-Davis said in Migrate and/or replace old cert server?:

                                          If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                                          If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                                          Yes, it generally is. But really only if you have more than one DC. If you only have the one, then you can move it.

                                          Thanks for the info - so in our case, a V2V is definitely a bad idea since we have 6 total DCs, lol.

                                          Yeah, dont' do that. Just make a new one then, no need to V2V.

                                          I still need to do the V2V for what's left on it after I remove the CA and DC; SharePoint (because we want to re-purpose the old hardware with a clean slate)

                                          I see. Then yes, pull those parts off first.

                                          1 Reply Last reply Reply Quote 1
                                          • EddieJenningsE
                                            EddieJennings @scottalanmiller
                                            last edited by

                                            @scottalanmiller You haven't lost your mind, but the issue might be one of terminology. We use AD certificate services to push out machine certs, which (right now) we use with establishing VPN connections.

                                            EddieJenningsE S 2 Replies Last reply Reply Quote 2
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 7 / 7
                                            • First post
                                              Last post