question

JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 asked cthivierge commented

Question on renaming CA server

Hi,

Our current CA is rather old on a windows server 2008 machine. We want to upgrade the OS to windows 2016 server via in-place upgrade so we cloned the machine and worked on the clone in upgrading the OS succesfully.
Now the old and the new CA Server has the same name. We where thinking in giving it a new name but unable to do so. It says that we cannot rename it because it is a CA server.

How do we rename the new CA server?
What would it's implications domain wide?

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered cthivierge edited

Hello @JanusBarinan-8508

Unfortunately renaming a CA is simply not possible, precisely for the multiple relations to services, machines and applications running over the domain. Even if it was possible, it would not be a good idea.

I can recommend the 2008 guide for Upgrade-Migration process and checklist from Microsoft, but basically the new server should replace the previous.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

Best regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

You cannot "Rename" a server that has the ADCS role installed.

If you want a different name for your CA Server, it's only possible with a migration (backup/restore)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v%3Dws.11)

hth



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 commented

If you successfully cloned and upgraded CA VM/image, then you should just turn off old VM and use upgraded VM instead. In this case, you don't need to go through complicated migration process.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah but the new VM should have a new hostname, different from the old.

0 Votes 0 ·
Crypt32 avatar image Crypt32 JanusBarinan-8508 ·

Why? Once you cloned the VM, turn off old VM and you can re-use this name in cloned and upgraded VM. You are overcomplicating things where it is unnecessary.

0 Votes 0 ·
JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 answered cthivierge commented

So here is my process:
1. Backup the old (CA, registry, etc.)
2. Clone the old CA (why not build a new one? It's quite complicated issue so lets stick with the clone)
3. Uninstall the CA on the newly cloned machine
4. Rename the newly cloned machine
5. Reinstall the CA role
6. Restore the CA config from backup.

Question:

Will a simple disconnect from network do or there is a process to remove it totally?
From the step above when should I remove the CA from the network?
Can the old and new run at the same time even just for a brief moment until the old is totally remove? Won't it affect the clients using the certificate?




· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Theorically, on your old CA Server, If you have uninstalled the ADCS role AND the server has been renamed, i don't see ay issue... but why taking chances ?

If you don't want to uninstall ADCS role from the old CA Server, you can just turn it off and disconnect the Network Card (just to be sure that it will never connect to the network again)

0 Votes 0 ·

Oh so disconnecting it from the network is okay? No need for proper removal from domain? Even if my new CA has different hostname?

What would happen by the way to the current certificate especially the one on the trusted root folder if i my CA is new with a new hostname?

0 Votes 0 ·

The old CA Server can stay in the domain with a new name but the ADCS Role must have been removed before configuring the new CA Server

The host name of the server s not the name of the CA Server. The Certificate should keep the name of the CA Server.

hth

0 Votes 0 ·