The CA role is installed and functioning on the local SBS2008 server.
However, it does not show up when trying to access a CA from another machine.
I am trying to perform the last step of decommissioning the old SBS2003
server from the domain as part of migrating from SBS2003 to 2008, but dcpromo
does not run because the old SBS2003 source server is still a CA. I'm trying
to gracefully renew certificates by issuing them from the new CA before
removing this role from the old server, however the new CA doesn't appear as
a selectable CA. For example, on an existing backup DC on the domain, I
launch the Certificates snap-in (for Computer Account) and try to request a
new Domain Controller certificate. Only the old SBS2003 server shows up as a
CA.

Any ideas?

Thanks,
Nick.

The CA service relies on IIS, so if you've made changes to IIS, this could
cause the problem you are seeing.

First things first, lets see if you can *see* the CA's web interface. Go
to http://<your server>/certserv and see if that works...

-Cliff


"niewoo" <niewoo@newsgroup> wrote in message
news5E62452-5F49-48B6-B675-FAC94DDCCC6B@newsgroup

> The CA role is installed and functioning on the local SBS2008 server.
> However, it does not show up when trying to access a CA from another
> machine.
> I am trying to perform the last step of decommissioning the old SBS2003
> server from the domain as part of migrating from SBS2003 to 2008, but
> dcpromo
> does not run because the old SBS2003 source server is still a CA. I'm
> trying
> to gracefully renew certificates by issuing them from the new CA before
> removing this role from the old server, however the new CA doesn't appear
> as
> a selectable CA. For example, on an existing backup DC on the domain, I
> launch the Certificates snap-in (for Computer Account) and try to request
> a
> new Domain Controller certificate. Only the old SBS2003 server shows up as
> a
> CA.
>
> Any ideas?
>
> Thanks,
> Nick.
>

Hi Cliff - yes, http://<server>/certsrv is online and accessible from
machines across the domain. However ... it does not list "Domain Controller"
in the drop down when selecting what kind of cert to enroll. Hence I thought
the Certificates snap-in was still the correct way.

The backup DCs I am trying to request new certificates for are Server 2003.
I don't know if that's an issue or not.

Thanks,
Nick.

"Cliff Galiher" wrote:

> The CA service relies on IIS, so if you've made changes to IIS, this could
> cause the problem you are seeing.
>
> First things first, lets see if you can *see* the CA's web interface. Go
> to http://<your server>/certserv and see if that works...
>
> -Cliff
>
>
> "niewoo" <niewoo@newsgroup> wrote in message
> news5E62452-5F49-48B6-B675-FAC94DDCCC6B@newsgroup

> > The CA role is installed and functioning on the local SBS2008 server.
> > However, it does not show up when trying to access a CA from another
> > machine.
> > I am trying to perform the last step of decommissioning the old SBS2003
> > server from the domain as part of migrating from SBS2003 to 2008, but
> > dcpromo
> > does not run because the old SBS2003 source server is still a CA. I'm
> > trying
> > to gracefully renew certificates by issuing them from the new CA before
> > removing this role from the old server, however the new CA doesn't appear
> > as
> > a selectable CA. For example, on an existing backup DC on the domain, I
> > launch the Certificates snap-in (for Computer Account) and try to request
> > a
> > new Domain Controller certificate. Only the old SBS2003 server shows up as
> > a
> > CA.
> >
> > Any ideas?
> >
> > Thanks,
> > Nick.
> >

>

It shouldn't be an issue, and yes I actually prefer using the snap-in. The
URL was just to check and ensure the service is up.

So there are a couple of possibilities.

First, I should mention that it would've been better to migrate the CA.
That would not have required re-issuing certificates and MS does have CA
migration documents available. Depending on how for down this road you've
gone, that may still be worth looking at.

Secondly, make sure the template is installed. In the CA snapin, go to
certificate templates and make sure version 110 for Windows Server 2003 in
installed for domain controllers. If not, add it.

Finally, did you deploy the new root CA cert? That is how other machines
know where to request certificates from. With two CAs co-existing, it is
possible...in fact likely, that your old CA is taking precedence. and
rewriting the registry keys associated with domain CAs. Again, MS provides
documentation on deploying new root CA certs via group policy.

-Cliff

"niewoo" <niewoo@newsgroup> wrote in message
news:36FA53C6-353A-43EB-A3FD-8A11A3D1DF81@newsgroup

> Hi Cliff - yes, http://<server>/certsrv is online and accessible from
> machines across the domain. However ... it does not list "Domain
> Controller"
> in the drop down when selecting what kind of cert to enroll. Hence I
> thought
> the Certificates snap-in was still the correct way.
>
> The backup DCs I am trying to request new certificates for are Server
> 2003.
> I don't know if that's an issue or not.
>
> Thanks,
> Nick.
>
> "Cliff Galiher" wrote:
>

>> The CA service relies on IIS, so if you've made changes to IIS, this
>> could
>> cause the problem you are seeing.
>>
>> First things first, lets see if you can *see* the CA's web interface.
>> Go
>> to http://<your server>/certserv and see if that works...
>>
>> -Cliff
>>
>>
>> "niewoo" <niewoo@newsgroup> wrote in message
>> news5E62452-5F49-48B6-B675-FAC94DDCCC6B@newsgroup

>> > The CA role is installed and functioning on the local SBS2008 server.
>> > However, it does not show up when trying to access a CA from another
>> > machine.
>> > I am trying to perform the last step of decommissioning the old SBS2003
>> > server from the domain as part of migrating from SBS2003 to 2008, but
>> > dcpromo
>> > does not run because the old SBS2003 source server is still a CA. I'm
>> > trying
>> > to gracefully renew certificates by issuing them from the new CA before
>> > removing this role from the old server, however the new CA doesn't
>> > appear
>> > as
>> > a selectable CA. For example, on an existing backup DC on the domain, I
>> > launch the Certificates snap-in (for Computer Account) and try to
>> > request
>> > a
>> > new Domain Controller certificate. Only the old SBS2003 server shows up
>> > as
>> > a
>> > CA.
>> >
>> > Any ideas?
>> >
>> > Thanks,
>> > Nick.
>> >

>>

The SBS2008 setup already installed the CA, so migration wasn't possible.
However, adding the new CA's certificate to GP did the trick! Thanks.

"Cliff Galiher" wrote:

> It shouldn't be an issue, and yes I actually prefer using the snap-in. The
> URL was just to check and ensure the service is up.
>
> So there are a couple of possibilities.
>
> First, I should mention that it would've been better to migrate the CA.
> That would not have required re-issuing certificates and MS does have CA
> migration documents available. Depending on how for down this road you've
> gone, that may still be worth looking at.
>
> Secondly, make sure the template is installed. In the CA snapin, go to
> certificate templates and make sure version 110 for Windows Server 2003 in
> installed for domain controllers. If not, add it.
>
> Finally, did you deploy the new root CA cert? That is how other machines
> know where to request certificates from. With two CAs co-existing, it is
> possible...in fact likely, that your old CA is taking precedence. and
> rewriting the registry keys associated with domain CAs. Again, MS provides
> documentation on deploying new root CA certs via group policy.
>
> -Cliff
>
> "niewoo" <niewoo@newsgroup> wrote in message
> news:36FA53C6-353A-43EB-A3FD-8A11A3D1DF81@newsgroup

> > Hi Cliff - yes, http://<server>/certsrv is online and accessible from
> > machines across the domain. However ... it does not list "Domain
> > Controller"
> > in the drop down when selecting what kind of cert to enroll. Hence I
> > thought
> > the Certificates snap-in was still the correct way.
> >
> > The backup DCs I am trying to request new certificates for are Server
> > 2003.
> > I don't know if that's an issue or not.
> >
> > Thanks,
> > Nick.
> >
> > "Cliff Galiher" wrote:
> >

> >> The CA service relies on IIS, so if you've made changes to IIS, this
> >> could
> >> cause the problem you are seeing.
> >>
> >> First things first, lets see if you can *see* the CA's web interface.
> >> Go
> >> to http://<your server>/certserv and see if that works...
> >>
> >> -Cliff
> >>
> >>
> >> "niewoo" <niewoo@newsgroup> wrote in message
> >> news5E62452-5F49-48B6-B675-FAC94DDCCC6B@newsgroup
> >> > The CA role is installed and functioning on the local SBS2008 server.
> >> > However, it does not show up when trying to access a CA from another
> >> > machine.
> >> > I am trying to perform the last step of decommissioning the old SBS2003
> >> > server from the domain as part of migrating from SBS2003 to 2008, but
> >> > dcpromo
> >> > does not run because the old SBS2003 source server is still a CA. I'm
> >> > trying
> >> > to gracefully renew certificates by issuing them from the new CA before
> >> > removing this role from the old server, however the new CA doesn't
> >> > appear
> >> > as
> >> > a selectable CA. For example, on an existing backup DC on the domain, I
> >> > launch the Certificates snap-in (for Computer Account) and try to
> >> > request
> >> > a
> >> > new Domain Controller certificate. Only the old SBS2003 server shows up
> >> > as
> >> > a
> >> > CA.
> >> >
> >> > Any ideas?
> >> >
> >> > Thanks,
> >> > Nick.
> >> >
> >>

>

Glad to hear your problem is resolved, but just for future reference, you
*can* still migrate a CA even though the SBS2008 installation installs the
CA role by default. The process is documented here (I am unaware of 2008
documentation yet):

http://support.microsoft.com/kb/298138

Step 6 in the documentation is to install certificate services on the new
server, so this is no different than SBS doing so automatically. You'd
still then proceeed to stop the service and restore backups....it all comes
together rather nicely.

-Cliff


"niewoo" <niewoo@newsgroup> wrote in message
news:A800F59B-A0BC-4392-ACD9-85F24698ABA8@newsgroup

> The SBS2008 setup already installed the CA, so migration wasn't possible.
> However, adding the new CA's certificate to GP did the trick! Thanks.
>
> "Cliff Galiher" wrote:
>

>> It shouldn't be an issue, and yes I actually prefer using the snap-in.
>> The
>> URL was just to check and ensure the service is up.
>>
>> So there are a couple of possibilities.
>>
>> First, I should mention that it would've been better to migrate the CA.
>> That would not have required re-issuing certificates and MS does have CA
>> migration documents available. Depending on how for down this road
>> you've
>> gone, that may still be worth looking at.
>>
>> Secondly, make sure the template is installed. In the CA snapin, go to
>> certificate templates and make sure version 110 for Windows Server 2003
>> in
>> installed for domain controllers. If not, add it.
>>
>> Finally, did you deploy the new root CA cert? That is how other machines
>> know where to request certificates from. With two CAs co-existing, it is
>> possible...in fact likely, that your old CA is taking precedence. and
>> rewriting the registry keys associated with domain CAs. Again, MS
>> provides
>> documentation on deploying new root CA certs via group policy.
>>
>> -Cliff
>>
>> "niewoo" <niewoo@newsgroup> wrote in message
>> news:36FA53C6-353A-43EB-A3FD-8A11A3D1DF81@newsgroup

>> > Hi Cliff - yes, http://<server>/certsrv is online and accessible from
>> > machines across the domain. However ... it does not list "Domain
>> > Controller"
>> > in the drop down when selecting what kind of cert to enroll. Hence I
>> > thought
>> > the Certificates snap-in was still the correct way.
>> >
>> > The backup DCs I am trying to request new certificates for are Server
>> > 2003.
>> > I don't know if that's an issue or not.
>> >
>> > Thanks,
>> > Nick.
>> >
>> > "Cliff Galiher" wrote:
>> >
>> >> The CA service relies on IIS, so if you've made changes to IIS, this
>> >> could
>> >> cause the problem you are seeing.
>> >>
>> >> First things first, lets see if you can *see* the CA's web interface.
>> >> Go
>> >> to http://<your server>/certserv and see if that works...
>> >>
>> >> -Cliff
>> >>
>> >>
>> >> "niewoo" <niewoo@newsgroup> wrote in message
>> >> news5E62452-5F49-48B6-B675-FAC94DDCCC6B@newsgroup
>> >> > The CA role is installed and functioning on the local SBS2008
>> >> > server.
>> >> > However, it does not show up when trying to access a CA from another
>> >> > machine.
>> >> > I am trying to perform the last step of decommissioning the old
>> >> > SBS2003
>> >> > server from the domain as part of migrating from SBS2003 to 2008,
>> >> > but
>> >> > dcpromo
>> >> > does not run because the old SBS2003 source server is still a CA.
>> >> > I'm
>> >> > trying
>> >> > to gracefully renew certificates by issuing them from the new CA
>> >> > before
>> >> > removing this role from the old server, however the new CA doesn't
>> >> > appear
>> >> > as
>> >> > a selectable CA. For example, on an existing backup DC on the
>> >> > domain, I
>> >> > launch the Certificates snap-in (for Computer Account) and try to
>> >> > request
>> >> > a
>> >> > new Domain Controller certificate. Only the old SBS2003 server shows
>> >> > up
>> >> > as
>> >> > a
>> >> > CA.
>> >> >
>> >> > Any ideas?
>> >> >
>> >> > Thanks,
>> >> > Nick.
>> >> >
>> >>

>>