|« Multiple websites prompting to download xd_proxy.css file all related to Facebook code change||Microsoft's Exchange Server Deployment Assistant »|
If you are in process of replacing your Domain Controllers from Server 2003 to Server 2008 R2, you will need to either move or replace your certificates as well. First you obviously have to add the 2008 servers to the Domain, Promote them, and assign their respective roles. Then you will need to Install an SSL certificate on each.
Microsoft has a technet article going over all the details of every environment and how to handle getting it configured here:
I'm just going to go through the quick process many people will use. That process should be followed if you are going to be using a Standalone CA to process certificates for a Domain Controller.
First off, on the Domain Controller we need to create an .inf file with the contents:
;;----------------- request.inf -----------------
Subject = "CN=" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=184.108.40.206.220.127.116.11.1 ; this is for Server Authentication
Now in Command Prompt type:
certreq -new request.inf request.req
A new file is now created named request.req. Take that file and move it to the CA server.
certreq -attrib "CertificateTemplate:DomainController" request.req
This will create an ID. Write that ID down as we will need it later.
Now we need to create an ASN file. There are a few ways you can do this, but the best way is to use the script MS put together for us here:
It will create an ASN file as well as several other files. Take the newly created ASN on the CA as well.
Now if you are running Server 2008 run the following command with elevated privlidges (If not, run it normally):
certutil -setextension <RequestID> 18.104.22.168 1 @<dcname>.asn
And from the CA run:
certutil -resubmit <requestID>
certreq -accept <dcname>.p7b
At this point you are finished. You should test to make sure it is functioning properly.