Migrating PKI from Windows 2003 to Windows 2008 R2

Many customers are running into the need for a Windows 2008 or newer PKI infrastructure in order to enroll and auto enroll newer client operating systems like Windows 7, Vista, and Windows 2008 Server.

Actually, many business customers found the lack of certificate support in Vista (without upgrading their CA's later) as one of the reasons it wasn't business ready. With Windows 7 being almost 10 years newer than Windows XP, many business customers are ready for a software refresh and Windows 7 has enough other appealing features to help that decision along.

There are basically two routes to go; in place upgrade or migration. The only time I would attempt an in place is on a VM so that a snapshot could easily be taken and rolled back in the case of a failure. A migration gives a fresh start, but requires some additional time to complete because between steps you need to wait for certs to issue to clients.

Because certificates are fairly sensitive information, I won't post screen caps, but rather overview the process.

Research and Design

Research what your existing CA is in use for. Anything it has issued needs to be either determined to be invalid (expired, not in use, not needed) or documented as something to replicate on the new CA. The other decision on design is around what CA architecture and hierarchy you want or need. Depends on the size and complexity of your organization this can differ greatly. For most organizations under 2000 users, I would say a single CA is sufficient, and if an additional are needed, use the PKI planning guides that Microsoft provides, or better yet, read Komar's 2k8 PKI book.

Implement and Re-Issue certs

Depending on your usage, this could take a long time. Audit existing certificates, revoke the ones that are not in use or expired, and start re-issuing them on the new CA architecture. For larger organizations, this may take months to complete. Luckily, you can choose to have both CA's active. I recommend changing the certificate templates on the old CA to read only, and no longer allow enroll and auto enroll as you migrate each template type successfully, this way, the old CA still validates certificates issued that you haven't updated while you can work on updating them, without any noticeable downtime.

Decommission Legacy CA

The "easy" part for sure. Removing a CA (Unlike uninstalling Exchange) there are no checks or audits to make sure you did everything correctly. If you didn't notice that your Cisco ASA or VPN Concentrator had a certificate issued and miss it, it may cause some issues for you. I recommend stopping and disabling your legacy CA for a few days or even weeks (this depends on your comfort level, and organization) before you make the decision to decommission. Even then, before you decommission, I would also really recommend taking a complete backup of the server.

Windows 7 - Gaining access to all options in one screen

I found this posted on a forum and found it hard to believe, but it does work and it's pretty neat!

Just create a new folder and name it:
AllAccess.{ED7BA470-8E54-465E-825C-99712043E01C}

The "AllAccess" can be anything - on the other forum, I saw it as "god mode," "admin mode" and some other names - pick whatever you would like.

All this folder contains is easy one stop access to all Windows 7 options and control panels in one location. Depending on what you have installed, the number of options here will vary of course, but I had 276 different panels to view/choose from.

Wndows 7: Making your Right click gadgets launch in 32 bit mode

In Windows 7, I have found closing and relaunching my Pandora sidebarr application really easy to do from the Right-click gadgets context menu. Unfortunately, since flash is not supported in 64 bit, apps like Pandora won't work properly. There are a few hints on how to launch sidebar by default in 32 bit, but I found that when I would close and relaunch using this, it would launch in 64 bit again.

The fix, is simple:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\command
Edit the Default REG_SZ entry to include the x86 path of:
C:\Program Files (x86)\Windows Sidebar\sidebar.exe /showGadgets

Windows 7 RTM RSAT Tools

This is a little late, but only because I was searching and had trouble finding it.

The net and google searching has a LOT of dead links right now.

Here are the latest RTM RSAT Remote Server Administration Tools for Windows 7.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d#filelist

x86 and x64 are available.

Keep in mind, install it, and THEN they appear in your "Turn Windows Features on or off" dialog:

Also - yay, post #100 on our blog.

Windows 7: Show desktop

The more I use Windows 7, the more neat things I stumble upon.

As if the simplicity of hitting the Windows + D key was not enough - the lower right of the clock is also a "Show Desktop" shortcut now!

Windows 7 released to Technet and MSDN

Thousands of people are enjoying 30-60kb/s downloads today :)

As seen at Engadget.

I have been running Windows 7 RC and other versions for about two months on my primary (only) laptop. It's been absolutely solid from day one, even on beta versions. The few issues I had were pre-existing Lenovo issues (video not coming back on after sleep, etc)

Awesome.

Mark your fall calendars!

I decided to not pepper with updates this week.

October 22 - Windows 2008 R2 and Windows 7 release dates
http://community.winsupersite.com/blogs/paul/archive/2009/06/02/windows-server-2008-r2-will-follow-the-same-rtm-ga-dates-as-windows-7.aspx

Exchange 2010 - Not yet released. Still Q3/Q4. Public Beta has been REALLY well received thusfar. I have done part 1 of my 3 part series, and also agreed to speak at two New Horizons events. I have three customers talking 2010 design planning at the moment. Very exciting.

Windows 2008 Administrator tools for Windows 7

I found this to solve my own problems today, and had to look too hard for it.

Where to Install:
Microsoft Remote Server Administration Tools for Windows 7 Beta (x86): http://download.microsoft.com/download/A/D/4/AD4D3903-E06D-456D-AED4-D53895D2C1A9/Windows6.1-KB958830-x86.msu
Microsoft Remote Server Administration Tools for Windows 7 Beta (x64): http://download.microsoft.com/download/A/D/4/AD4D3903-E06D-456D-AED4-D53895D2C1A9/Windows6.1-KB958830-x64.msu

The main download page is here http://www.microsoft.com/downloads/details.aspx?FamilyID=82516c35-c7dc-4652-b2ea-2df99ea83dbb&displaylang=en

RSAT Client is available to all customers as part of the supplemental Microsoft Software License Terms to Windows 7 licenses.

What Is Included in RSAT?
This is the list of Windows Server 2008 administration tools which are included in Win7 RSAT Client:
Server Administration Tools:
Server Manager Role Administration Tools:
� Active Directory Certificate Services (AD CS) Tools
� Active Directory Domain Services (AD DS) Tools
� Active Directory Lightweight Directory Services (AD LDS) Tools
� DHCP Server Tools
� DNS Server Tools
� File Services Tools
� Hyper-V Tools
� Terminal Services Tools
Feature Administration Tools:
� BitLocker Password Recovery Viewer
� Failover Clustering Tools
� Group Policy Management Tools
� Network Load Balancing Tools
� SMTP Server Tools
� Storage Explorer Tools
� Storage Manager for SANs Tools
� Windows System Resource Manager Tools

UPDATE - For Windows 7 RTM - go here