Guest Paul Bergson [MVP-DS] Posted April 14, 2009 Posted April 14, 2009 "Baboon" <Baboon@discussions.microsoft.com> wrote in message news:5B198DCF-2BD8-4C3E-950C-BF7F143AF8CA@microsoft.com...<span style="color:blue"> > Hi - > > I did a clean upgrade of a server that acted as a subordinate enterprise > CA. > The OS went from Windows 2003 Standard, SP2 to Windows 2008 Enterprise. > Before wiping out the disk, I did the standard migration tasks as directed > by > KB article: > - Back up the CA through the GUI > - Export the CertSvc Registry key > - Uninstall Cert Services from the old server > - Wipe the old server > Then... > - Install the new OS, using the same name as the old server > - Install Cert Services on the new server > - Restore the backup of the CA > - Import the CertSvc Registry key > The DBs and logs for the old cert server, as well as the program files, > were > on the G drive. When I installed Certificate Services on the new server, > it > installed on the C drive, but I created a G drive for the DB and logs. > > The CA will not start on the new server. I get a "file not found message" > which also tells me "Policy Module in missing or incorrectly registered". > I > thought I found the cause of the problem when I discovered that the > Registry > keys which I imported referenced the G drive for the CertSrv directory > (which > is on the C drive on the new server). I changed those from G: to C: but > it > made no difference. > > The symptom that seems most obvious is that the DCOM Config for CertSrv > Request is inaccessible (everything is grayed out.) > > I should also add that the old server was a DC, which I demoted after > removing Certificate Services from it. The new server is not a DC, but is > using the same name as I said. > > Does anyone have any idea what is going wrong with this? > > Thanks. > ></span> I would suggest this be posted in the security NewsGroup where they are better prepared for this question. I have copied them in on this reply. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. Quote
Guest Brian Komar \(MVP\) Posted April 15, 2009 Posted April 15, 2009 This is a really ugly migration, being that it was a DC previously. If I were doing this migration, I would have done extensive testing in virtual and test network deployments before attempting this in production. There is really no easy answer to this. As a start, I would ensure that the new CA would be set up with exactly the same drive mappings, and folder structures as previous. I would install the CA using the existing certificate and private key and then restore the CA database. Brian "Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message news:8E282D28-A93D-4B9B-8CA9-7811C7B3F209@microsoft.com...<span style="color:blue"> > "Baboon" <Baboon@discussions.microsoft.com> wrote in message > news:5B198DCF-2BD8-4C3E-950C-BF7F143AF8CA@microsoft.com...<span style="color:green"> >> Hi - >> >> I did a clean upgrade of a server that acted as a subordinate enterprise >> CA. >> The OS went from Windows 2003 Standard, SP2 to Windows 2008 Enterprise. >> Before wiping out the disk, I did the standard migration tasks as >> directed by >> KB article: >> - Back up the CA through the GUI >> - Export the CertSvc Registry key >> - Uninstall Cert Services from the old server >> - Wipe the old server >> Then... >> - Install the new OS, using the same name as the old server >> - Install Cert Services on the new server >> - Restore the backup of the CA >> - Import the CertSvc Registry key >> The DBs and logs for the old cert server, as well as the program files, >> were >> on the G drive. When I installed Certificate Services on the new server, >> it >> installed on the C drive, but I created a G drive for the DB and logs. >> >> The CA will not start on the new server. I get a "file not found >> message" >> which also tells me "Policy Module in missing or incorrectly registered". >> I >> thought I found the cause of the problem when I discovered that the >> Registry >> keys which I imported referenced the G drive for the CertSrv directory >> (which >> is on the C drive on the new server). I changed those from G: to C: but >> it >> made no difference. >> >> The symptom that seems most obvious is that the DCOM Config for CertSrv >> Request is inaccessible (everything is grayed out.) >> >> I should also add that the old server was a DC, which I demoted after >> removing Certificate Services from it. The new server is not a DC, but >> is >> using the same name as I said. >> >> Does anyone have any idea what is going wrong with this? >> >> Thanks. >> >></span> > > I would suggest this be posted in the security NewsGroup where they are > better prepared for this question. I have copied them in on this reply. > > > -- > Paul Bergson > MVP - Directory Services > MCTS, MCT, MCSE, MCSA, Security+, BS CSci > 2008, 2003, 2000 (Early Achiever), NT4 > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup This > posting is provided "AS IS" with no warranties, and confers no rights. </span> Quote
Guest Baboon Posted April 16, 2009 Posted April 16, 2009 Thanks. I should have mentioned that this is only a test environment. I would like to feel that I can get this solved without having to start over with a new sub CA, but if I have to do that it just means a little more work and some cleanup. I never would have done this in a production environment. I wondered if the fact that the CA was previously on a DC would be a problem, but I don't think I saw anything on the MS site that mentioned it. I'll try reinstalling using the same drive letter as before for everything. Thanks. "Brian Komar (MVP)" wrote: <span style="color:blue"> > This is a really ugly migration, being that it was a DC previously. > If I were doing this migration, I would have done extensive testing in > virtual and test network deployments before attempting this in production. > There is really no easy answer to this. > As a start, I would ensure that the new CA would be set up with exactly > the same drive mappings, and folder structures as previous. > I would install the CA using the existing certificate and private key and > then restore the CA database. > Brian > > "Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message > news:8E282D28-A93D-4B9B-8CA9-7811C7B3F209@microsoft.com...<span style="color:green"> > > "Baboon" <Baboon@discussions.microsoft.com> wrote in message > > news:5B198DCF-2BD8-4C3E-950C-BF7F143AF8CA@microsoft.com...<span style="color:darkred"> > >> Hi - > >> > >> I did a clean upgrade of a server that acted as a subordinate enterprise > >> CA. > >> The OS went from Windows 2003 Standard, SP2 to Windows 2008 Enterprise. > >> Before wiping out the disk, I did the standard migration tasks as > >> directed by > >> KB article: > >> - Back up the CA through the GUI > >> - Export the CertSvc Registry key > >> - Uninstall Cert Services from the old server > >> - Wipe the old server > >> Then... > >> - Install the new OS, using the same name as the old server > >> - Install Cert Services on the new server > >> - Restore the backup of the CA > >> - Import the CertSvc Registry key > >> The DBs and logs for the old cert server, as well as the program files, > >> were > >> on the G drive. When I installed Certificate Services on the new server, > >> it > >> installed on the C drive, but I created a G drive for the DB and logs. > >> > >> The CA will not start on the new server. I get a "file not found > >> message" > >> which also tells me "Policy Module in missing or incorrectly registered". > >> I > >> thought I found the cause of the problem when I discovered that the > >> Registry > >> keys which I imported referenced the G drive for the CertSrv directory > >> (which > >> is on the C drive on the new server). I changed those from G: to C: but > >> it > >> made no difference. > >> > >> The symptom that seems most obvious is that the DCOM Config for CertSrv > >> Request is inaccessible (everything is grayed out.) > >> > >> I should also add that the old server was a DC, which I demoted after > >> removing Certificate Services from it. The new server is not a DC, but > >> is > >> using the same name as I said. > >> > >> Does anyone have any idea what is going wrong with this? > >> > >> Thanks. > >> > >></span> > > > > I would suggest this be posted in the security NewsGroup where they are > > better prepared for this question. I have copied them in on this reply. > > > > > > -- > > Paul Bergson > > MVP - Directory Services > > MCTS, MCT, MCSE, MCSA, Security+, BS CSci > > 2008, 2003, 2000 (Early Achiever), NT4 > > > > http://www.pbbergs.com > > > > Please no e-mails, any questions should be posted in the NewsGroup This > > posting is provided "AS IS" with no warranties, and confers no rights. </span> > > </span> Quote
![Guest Paul Bergson [MVP-DS]](https://offtopic.forum/uploads/set_resources_2/84c1e40ea0e759e3f1505eb1788ddf3c_default_photo.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.