Server Decommision

[Zachary]

We currently have a Win2k server that we are looking to decommission so we
can install it with windows 2008. This 2k server is a domain controller
with no FSMO roles on it but CA is still running on the server. We
currently have a 2008 server that is acting as our primary DC. Two
questions:



First, how can I check whether or not the CA is still being used? I have
inherited this setup from a previous IT Group so I am unsure of what
practices have been in place before I was here.



Second, if I am unsure or if the services are still needed, can I move the
CA to the 2008 server?



I have reviewed these links already and none seem to directly apply to my
situation since the scenario is 2000 and 2003



http://support.microsoft.com/default.aspx?...kben-us298138

http://support.microsoft.com/default.aspx?...kben-us555012

http://support.microsoft.com/kb/889250



Any insight would be greatly appreciated.

 

[Greg Russell]

"Zachary" wrote in message
news:%23yjzSVHOKHA.220@TK2MSFTNGP02.phx.gbl...

> We currently have a Win2k server that we are looking to decommission
> so we can install it with windows 2008. ... I have inherited this setup
> from a previous IT Group so I am unsure of what practices have been
> in place before I was here.

If the previous IT group failed to keep an administrative journal/log of the
machine and its roles in the enterprise, then you should make a complete
backup, wipe the disk and start with a fresh install of the new OS.

Oh, and be sure to keep a current journal of everything you do on the new
OS, and the reasons for it.

 

[Zachary]

First off, that doesn't answer either of my two questions and as far as good
IT practice goes that suggestion is dangerous. Anything goes wrong during
the wipe/reload process I would be SOL. Our eventual goal is to make this
server a member server running a newer operating system. Does anyone else
have any ideas?


"Greg Russell" wrote in message
news:7hhufsF2tg2kgU1@mid.individual.net...
> "Zachary" wrote in message
> news:%23yjzSVHOKHA.220@TK2MSFTNGP02.phx.gbl...
>
>> We currently have a Win2k server that we are looking to decommission
>> so we can install it with windows 2008. ... I have inherited this setup
>> from a previous IT Group so I am unsure of what practices have been
>> in place before I was here.
>
> If the previous IT group failed to keep an administrative journal/log of
> the
> machine and its roles in the enterprise, then you should make a complete
> backup, wipe the disk and start with a fresh install of the new OS.
>
> Oh, and be sure to keep a current journal of everything you do on the new
> OS, and the reasons for it.
>
>

 

[John John - MVP]

See in-line:

Zachary wrote:
> We currently have a Win2k server that we are looking to decommission so we
> can install it with windows 2008. This 2k server is a domain controller
> with no FSMO roles on it but CA is still running on the server. We
> currently have a 2008 server that is acting as our primary DC. Two
> questions:
>
>
>
> First, how can I check whether or not the CA is still being used? I have
> inherited this setup from a previous IT Group so I am unsure of what
> practices have been in place before I was here.

I don't know for sure but unless you properly removed the existing CA
and created a new one on the new Server 2008 I would think that the CA
on the Server 2000 would still be used. You could simply disable the
Certificate Service for an extended period and see what happens, if
things go wonky you can just re-enable the Certificate service. These
might be helpful:

http://support.microsoft.com/kb/889250
How to decommission a Windows enterprise certification authority and how
to remove all related objects from Windows Server 2003 and from Windows
Server 2000

http://support.microsoft.com/kb/231881
HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
Windows 2000

http://articles.techrepublic.com.com/5100-...066.html?tag=sc
Move Certificate Authority to another Windows 2000 Server

http://www.microsoft.com/windows/windows20...procsBackup.htm
Back up a certification authority

> Second, if I am unsure or if the services are still needed, can I move the
> CA to the 2008 server?

I don't think so, all of the Microsoft information that I have seen
always says that you must first upgrade Server 2000 to 2003 and then in
turn upgrade Server 2003 to 2008, there seems to be no direct path to
move the CA directly from Server 2000 to Server 2008. You may find
useful information here:
http://technet.microsoft.com/en-us/library...466(WS.10).aspx

You might have better help with this if you ask the folks on one of the
Server groups, maybe here:
news://msnews.microsoft.com/microsoft.publ....server.general

John

 

[Meinolf Weber [MVP-DS]]

Hello Zachary,

I will crospost this to:
microsoft.public.windows.server.security

That's the better place for your question. Also think about using the Technet
Forum:
http://social.technet.microsoft.com/Forums...ecurity/threads

> We currently have a Win2k server that we are looking to decommission
> so we can install it with windows 2008. This 2k server is a domain
> controller with no FSMO roles on it but CA is still running on the
> server. We currently have a 2008 server that is acting as our primary
> DC. Two questions:
>
> First, how can I check whether or not the CA is still being used? I
> have inherited this setup from a previous IT Group so I am unsure of
> what practices have been in place before I was here.
>
> Second, if I am unsure or if the services are still needed, can I move
> the CA to the 2008 server?
>
> I have reviewed these links already and none seem to directly apply to
> my situation since the scenario is 2000 and 2003
>
> http://support.microsoft.com/default.aspx?...kben-us298138
>
> http://support.microsoft.com/default.aspx?...kben-us555012
>
> http://support.microsoft.com/kb/889250
>
> Any insight would be greatly appreciated.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Zachary]

Thanks for the help on this.

wrote in message
news:6cb2911d5e038cc0805353e3576@msnews.microsoft.com...
> Hello Zachary,
>
> I will crospost this to:
> microsoft.public.windows.server.security
>
> That's the better place for your question. Also think about using the
> Technet Forum:
> http://social.technet.microsoft.com/Forums...ecurity/threads
>
>> We currently have a Win2k server that we are looking to decommission
>> so we can install it with windows 2008. This 2k server is a domain
>> controller with no FSMO roles on it but CA is still running on the
>> server. We currently have a 2008 server that is acting as our primary
>> DC. Two questions:
>>
>> First, how can I check whether or not the CA is still being used? I
>> have inherited this setup from a previous IT Group so I am unsure of
>> what practices have been in place before I was here.
>>
>> Second, if I am unsure or if the services are still needed, can I move
>> the CA to the 2008 server?
>>
>> I have reviewed these links already and none seem to directly apply to
>> my situation since the scenario is 2000 and 2003
>>
>> http://support.microsoft.com/default.aspx?...kben-us298138
>>
>> http://support.microsoft.com/default.aspx?...kben-us555012
>>
>> http://support.microsoft.com/kb/889250
>>
>> Any insight would be greatly appreciated.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>

 

[Zachary]

Thanks for the suggestions. I am hesitant to just disable the services and
wait for something to break. Again I fear that isn't proper IT procedure.
I will try cross posting this question in the group you suggested below.


"John John - MVP" wrote in message
news:OXP5W8TOKHA.220@TK2MSFTNGP02.phx.gbl...
> See in-line:
>
> Zachary wrote:
>> We currently have a Win2k server that we are looking to decommission so
>> we can install it with windows 2008. This 2k server is a domain
>> controller with no FSMO roles on it but CA is still running on the
>> server. We currently have a 2008 server that is acting as our primary
>> DC. Two questions:
>>
>>
>>
>> First, how can I check whether or not the CA is still being used? I have
>> inherited this setup from a previous IT Group so I am unsure of what
>> practices have been in place before I was here.
>
> I don't know for sure but unless you properly removed the existing CA and
> created a new one on the new Server 2008 I would think that the CA on the
> Server 2000 would still be used. You could simply disable the Certificate
> Service for an extended period and see what happens, if things go wonky
> you can just re-enable the Certificate service. These might be helpful:
>
> http://support.microsoft.com/kb/889250
> How to decommission a Windows enterprise certification authority and how
> to remove all related objects from Windows Server 2003 and from Windows
> Server 2000
>
> http://support.microsoft.com/kb/231881
> HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
> Windows 2000
>
> http://articles.techrepublic.com.com/5100-...066.html?tag=sc
> Move Certificate Authority to another Windows 2000 Server
>
> http://www.microsoft.com/windows/windows20...procsBackup.htm
> Back up a certification authority
>
>> Second, if I am unsure or if the services are still needed, can I move
>> the CA to the 2008 server?
>
> I don't think so, all of the Microsoft information that I have seen always
> says that you must first upgrade Server 2000 to 2003 and then in turn
> upgrade Server 2003 to 2008, there seems to be no direct path to move the
> CA directly from Server 2000 to Server 2008. You may find useful
> information here:
> http://technet.microsoft.com/en-us/library...466(WS.10).aspx
>
> You might have better help with this if you ask the folks on one of the
> Server groups, maybe here:
> news://msnews.microsoft.com/microsoft.publ....server.general
>
> John

 

[Zachary]

Any help on this would be greatly appreciated.

"John John - MVP" wrote in message
news:OXP5W8TOKHA.220@TK2MSFTNGP02.phx.gbl...
> See in-line:
>
> Zachary wrote:
>> We currently have a Win2k server that we are looking to decommission so
>> we can install it with windows 2008. This 2k server is a domain
>> controller with no FSMO roles on it but CA is still running on the
>> server. We currently have a 2008 server that is acting as our primary
>> DC. Two questions:
>>
>>
>>
>> First, how can I check whether or not the CA is still being used? I have
>> inherited this setup from a previous IT Group so I am unsure of what
>> practices have been in place before I was here.
>
> I don't know for sure but unless you properly removed the existing CA and
> created a new one on the new Server 2008 I would think that the CA on the
> Server 2000 would still be used. You could simply disable the Certificate
> Service for an extended period and see what happens, if things go wonky
> you can just re-enable the Certificate service. These might be helpful:
>
> http://support.microsoft.com/kb/889250
> How to decommission a Windows enterprise certification authority and how
> to remove all related objects from Windows Server 2003 and from Windows
> Server 2000
>
> http://support.microsoft.com/kb/231881
> HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
> Windows 2000
>
> http://articles.techrepublic.com.com/5100-...066.html?tag=sc
> Move Certificate Authority to another Windows 2000 Server
>
> http://www.microsoft.com/windows/windows20...procsBackup.htm
> Back up a certification authority
>
>> Second, if I am unsure or if the services are still needed, can I move
>> the CA to the 2008 server?
>
> I don't think so, all of the Microsoft information that I have seen always
> says that you must first upgrade Server 2000 to 2003 and then in turn
> upgrade Server 2003 to 2008, there seems to be no direct path to move the
> CA directly from Server 2000 to Server 2008. You may find useful
> information here:
> http://technet.microsoft.com/en-us/library...466(WS.10).aspx
>
> You might have better help with this if you ask the folks on one of the
> Server groups, maybe here:
> news://msnews.microsoft.com/microsoft.publ....server.general
>
> John

 

[Zachary]

Ok, from what i have found on the web my best route would be to upgrade the
CA to 2003 and backup and restore it to a 2003 server, then perform the
sames steps for 2008. (http://support.microsoft.com/default.aspx/kb/298138,
http://technet.microsoft.com/en-us/library...28WS.10%29.aspx)

The only question i have left unanswered is weather or not i can find out
why CA is installed on the server in the first place. Anyone have any
suggestions on how to go about finding out what CA is doing for our network?

"Zachary" wrote in message
news:un%23TdrsOKHA.1796@TK2MSFTNGP02.phx.gbl...
> Any help on this would be greatly appreciated.
>
> "John John - MVP" wrote in message
> news:OXP5W8TOKHA.220@TK2MSFTNGP02.phx.gbl...
>> See in-line:
>>
>> Zachary wrote:
>>> We currently have a Win2k server that we are looking to decommission so
>>> we can install it with windows 2008. This 2k server is a domain
>>> controller with no FSMO roles on it but CA is still running on the
>>> server. We currently have a 2008 server that is acting as our primary
>>> DC. Two questions:
>>>
>>>
>>>
>>> First, how can I check whether or not the CA is still being used? I
>>> have inherited this setup from a previous IT Group so I am unsure of
>>> what practices have been in place before I was here.
>>
>> I don't know for sure but unless you properly removed the existing CA and
>> created a new one on the new Server 2008 I would think that the CA on the
>> Server 2000 would still be used. You could simply disable the
>> Certificate Service for an extended period and see what happens, if
>> things go wonky you can just re-enable the Certificate service. These
>> might be helpful:
>>
>> http://support.microsoft.com/kb/889250
>> How to decommission a Windows enterprise certification authority and how
>> to remove all related objects from Windows Server 2003 and from Windows
>> Server 2000
>>
>> http://support.microsoft.com/kb/231881
>> HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
>> Windows 2000
>>
>> http://articles.techrepublic.com.com/5100-...066.html?tag=sc
>> Move Certificate Authority to another Windows 2000 Server
>>
>> http://www.microsoft.com/windows/windows20...procsBackup.htm
>> Back up a certification authority
>>
>>> Second, if I am unsure or if the services are still needed, can I move
>>> the CA to the 2008 server?
>>
>> I don't think so, all of the Microsoft information that I have seen
>> always says that you must first upgrade Server 2000 to 2003 and then in
>> turn upgrade Server 2003 to 2008, there seems to be no direct path to
>> move the CA directly from Server 2000 to Server 2008. You may find
>> useful information here:
>> http://technet.microsoft.com/en-us/library...466(WS.10).aspx
>>
>> You might have better help with this if you ask the folks on one of the
>> Server groups, maybe here:
>> news://msnews.microsoft.com/microsoft.publ....server.general
>>
>> John
>
>

 

[Dusko Savatovic]

Hi Zachary,

CA is issuing certificates for whatever purpose you may need:
- Encrypting File System,
- E-Mail, signing, encrypting messages
- SSL (https) for your web server, intranet web server, Outlook Web Access
- We use it for logging onto our wireless network.

You can check which certificates you issued, in the CA console.

"Zachary" wrote in message
news:uyitWNuOKHA.1876@TK2MSFTNGP06.phx.gbl...
> Ok, from what i have found on the web my best route would be to upgrade
> the CA to 2003 and backup and restore it to a 2003 server, then perform
> the sames steps for 2008.
> (http://support.microsoft.com/default.aspx/kb/298138,
> http://technet.microsoft.com/en-us/library...28WS.10%29.aspx)
>
> The only question i have left unanswered is weather or not i can find out
> why CA is installed on the server in the first place. Anyone have any
> suggestions on how to go about finding out what CA is doing for our
> network?
>
> "Zachary" wrote in message
> news:un%23TdrsOKHA.1796@TK2MSFTNGP02.phx.gbl...
>> Any help on this would be greatly appreciated.
>>
>> "John John - MVP" wrote in message
>> news:OXP5W8TOKHA.220@TK2MSFTNGP02.phx.gbl...
>>> See in-line:
>>>
>>> Zachary wrote:
>>>> We currently have a Win2k server that we are looking to decommission so
>>>> we can install it with windows 2008. This 2k server is a domain
>>>> controller with no FSMO roles on it but CA is still running on the
>>>> server. We currently have a 2008 server that is acting as our primary
>>>> DC. Two questions:
>>>>
>>>>
>>>>
>>>> First, how can I check whether or not the CA is still being used? I
>>>> have inherited this setup from a previous IT Group so I am unsure of
>>>> what practices have been in place before I was here.
>>>
>>> I don't know for sure but unless you properly removed the existing CA
>>> and created a new one on the new Server 2008 I would think that the CA
>>> on the Server 2000 would still be used. You could simply disable the
>>> Certificate Service for an extended period and see what happens, if
>>> things go wonky you can just re-enable the Certificate service. These
>>> might be helpful:
>>>
>>> http://support.microsoft.com/kb/889250
>>> How to decommission a Windows enterprise certification authority and how
>>> to remove all related objects from Windows Server 2003 and from Windows
>>> Server 2000
>>>
>>> http://support.microsoft.com/kb/231881
>>> HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
>>> Windows 2000
>>>
>>> http://articles.techrepublic.com.com/5100-...066.html?tag=sc
>>> Move Certificate Authority to another Windows 2000 Server
>>>
>>> http://www.microsoft.com/windows/windows20...procsBackup.htm
>>> Back up a certification authority
>>>
>>>> Second, if I am unsure or if the services are still needed, can I move
>>>> the CA to the 2008 server?
>>>
>>> I don't think so, all of the Microsoft information that I have seen
>>> always says that you must first upgrade Server 2000 to 2003 and then in
>>> turn upgrade Server 2003 to 2008, there seems to be no direct path to
>>> move the CA directly from Server 2000 to Server 2008. You may find
>>> useful information here:
>>> http://technet.microsoft.com/en-us/library...466(WS.10).aspx
>>>
>>> You might have better help with this if you ask the folks on one of the
>>> Server groups, maybe here:
>>> news://msnews.microsoft.com/microsoft.publ....server.general
>>>
>>> John
>>
>>
>
>