Upgrading Your PKI from Windows Server 2003 to Windows Server 2008 R2 Part II: Upgrade Considerations

  • Article

Today, I am going to talk about some things that you should consider before upgrading your existing PKI.

The first question is “Are you happy with your existing PKI?” PKI is a niche technology. Many organizations setup a PKI with limited experience with this technology. As such many times an organization’s PKI is not configured correctly or may not be configured in a way that meets the organization’s needs. If your PKI falls into one of these two categories, it may make more sense to replace your existing PKI, rather than upgrade your existing PKI.

The second question is “Does your issuing CA reside on a Domain Controller?” If the answer to this question is “Yes”, then you during the migration you will definitely want to consider moving it to a server that is not a Domain Controller. “Why”, you ask. The first reason is to make your life easier. When a Certification Authority is installed on a domain controller it adds complexity when trying to resolve issues with your domain. For example, if you have some sort of domain controller failure that requires you to remove the domain controller from the domain, you now have to remove the CA role to be able to DCPromo down the server. You also now have to quickly figure out how to migrate the CA why you are resolving the domain issue. The second reason is that you will want to limit who has access to the Certification Authority, and as a domain controller a relatively large number of individuals will have access to the Domain Controller, for administration purposes, and otherwise. The third reason is you may want to harden the CA from network attacks. If the CA is also a domain controller, you will have to enable a lot of access from the network since clients will need to access the services of the domain controller as well.

The third question is “Will you perform an in-place upgrade or migrate the CA to a new machine?” To be honest I always recommend a migration. In the case of physical machines, most organizations will use new hardware when using a newer version of the OS. Also, I feel more comfortable starting with a clean install of the OS, just to reduce the likelihood of any issues that may be carried over from the previous install. Also, the CA migration is so simple and straight forward it is hard to justify doing it any other way. If you are using virtual machines it is easy to spin up a new VM and do the migration. Even if you plan on using the same physical machine, it is still pretty easy to clean install the OS and do the migration.

The fourth question is “Will the machine you are migrating the CA to have the same hostname?” If you plan on migrating the CA to a machine with a different hostname, there will be added complexity in the migration. This is due to the fact that AIA and CDP paths are often contain the hostname of the CA. If the AIA and CDP paths point to a location that contains the hostname of the CA, you will most likely have to update these locations with the new hostname of the CA. After these locations are updated you have to reissue all certificates if you would like them to contain the updated AIA and CDP paths.

To summarize the questions above are key considerations before upgrading your PKI to Windows Server 2008 R2. For additional considerations, please see the Active Directory Certificate Services Upgrade and Migration Guide.

-Chris