Migrating PKI from Windows 2003 to Windows 2008 R2

Many customers are running into the need for a Windows 2008 or newer PKI infrastructure in order to enroll and auto enroll newer client operating systems like Windows 7, Vista, and Windows 2008 Server.

Actually, many business customers found the lack of certificate support in Vista (without upgrading their CA's later) as one of the reasons it wasn't business ready. With Windows 7 being almost 10 years newer than Windows XP, many business customers are ready for a software refresh and Windows 7 has enough other appealing features to help that decision along.

There are basically two routes to go; in place upgrade or migration. The only time I would attempt an in place is on a VM so that a snapshot could easily be taken and rolled back in the case of a failure. A migration gives a fresh start, but requires some additional time to complete because between steps you need to wait for certs to issue to clients.

Because certificates are fairly sensitive information, I won't post screen caps, but rather overview the process.

Research and Design

Research what your existing CA is in use for. Anything it has issued needs to be either determined to be invalid (expired, not in use, not needed) or documented as something to replicate on the new CA. The other decision on design is around what CA architecture and hierarchy you want or need. Depends on the size and complexity of your organization this can differ greatly. For most organizations under 2000 users, I would say a single CA is sufficient, and if an additional are needed, use the PKI planning guides that Microsoft provides, or better yet, read Komar's 2k8 PKI book.

Implement and Re-Issue certs

Depending on your usage, this could take a long time. Audit existing certificates, revoke the ones that are not in use or expired, and start re-issuing them on the new CA architecture. For larger organizations, this may take months to complete. Luckily, you can choose to have both CA's active. I recommend changing the certificate templates on the old CA to read only, and no longer allow enroll and auto enroll as you migrate each template type successfully, this way, the old CA still validates certificates issued that you haven't updated while you can work on updating them, without any noticeable downtime.

Decommission Legacy CA

The "easy" part for sure. Removing a CA (Unlike uninstalling Exchange) there are no checks or audits to make sure you did everything correctly. If you didn't notice that your Cisco ASA or VPN Concentrator had a certificate issued and miss it, it may cause some issues for you. I recommend stopping and disabling your legacy CA for a few days or even weeks (this depends on your comfort level, and organization) before you make the decision to decommission. Even then, before you decommission, I would also really recommend taking a complete backup of the server.

Windows 2008 R2 and Exchange 2007 SP2

The MS Exchange team today announced that they do not support Exchange 2007 SP2 on Windows 2008 R2. Good to know before you have to reload the OS!

http://msexchangeteam.com/archive/2009/09/21/452567.aspx

Edit: They decided to reverse this!

http://msexchangeteam.com/archive/2009/11/04/453026.aspx

Mark your fall calendars!

I decided to not pepper with updates this week.

October 22 - Windows 2008 R2 and Windows 7 release dates
http://community.winsupersite.com/blogs/paul/archive/2009/06/02/windows-server-2008-r2-will-follow-the-same-rtm-ga-dates-as-windows-7.aspx

Exchange 2010 - Not yet released. Still Q3/Q4. Public Beta has been REALLY well received thusfar. I have done part 1 of my 3 part series, and also agreed to speak at two New Horizons events. I have three customers talking 2010 design planning at the moment. Very exciting.

Windows Server 7 Beta Feature Focus - Migration solutions for WS08 R2

I viewed a LiveMeeting today on migrating to WS08 R2. The full transcript should be available here later:

http://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=488&DownloadID=14733

Benefits of migrating to 2008 R2:

• Clean OS installs exhibit more stability
  
  
  • Reduces risk and downtime
    
  • Performs most of migration tasks while the old server is still operational
    
  • Verifies migration and benchmark performance before switching to the new server
    
  • Rolls back to old server if migration fails
    
• Provides a transition path from
  
  
  • x86 to x64 OS (WS08R2 is x64 only)
    
  • Physical to Virtual (and vice versa)
    
  • Full server to server core (and vice versa)
    

  Windows 2008 R2 migration guides for AD/DHCP/File and more are online now here:
  http://technet.microsoft.com/en-us/library/dd365353.aspx
  

Supported Scenarios:

General Process:

They than ran through exporting DHCP on a 2003 x64 server - the password is used to encrypt the exported data.

And then re-import on the Windows 2008 R2 server with the DHCP feature installed (but not configured)

Then, the importResult variable can be used to review/parse for any warnings or errors from the import. The example they used was the administrator and guest account not being imported because it already existed on the target machine.

They then show the DHCP and user data imported successfully.

I did ask a question if they plan to allow you to scan and export and have the import install the necessary roles and features, and they did intend the import/export to do this in a later version. Apparently they liked this question, because I won something. Yay!

Then they moved on to a file server migration. Basically similar process for file shares, export, then import, and it recreates NTFS and file shares on the target server. Very neat stuff, and nice to finally have some tools for role migrations!

Windows 2008 R2 recycle bin - how to recover AD objects using Powershell

In my last post on this, I completed the LDP method, but was unable to get the Powershell recovery of a user object to work.

I was unable to use Get-ADObject to return any data for me.

I finally had some more time to work on this, and since then, I have found more people blogging on this and some are hitting similar issues.

Chad sent me this, some additional information and confusion on the Get-ADObject CMDlet and confusion with another third party extension using this as well.
http://iwasblogging.blogspot.com/2009/01/get-adobject-cmdlet-confusion-intro.html
http://iwasblogging.blogspot.com/2009/01/get-adobject-cmdlet-confusion-continued.html

So I began googling about Get-ADObject and found this article my Niraj Kumar:
http://blogs.technet.com/niraj_kumar/archive/2009/02/03/new-feature-active-directory-recycle-bin-in-windows-2008-r2.aspx - he had his Get-ADObject working, but this helped me find my missing link when I saw he used the ldapfilter!

He was using -ldapFilter "(objectClass=*)" and I hadn't tried that. As it turns out, if you do NOT use the -filter or the -ldapfilter, you will NOT get results. Examples:

So that being discovered, I can now go about restoring my user! I create a new user named "Another Test" and immediately deleted him. Then I ran one of the above commands, and found my user.

Now, obviously, in a production AD, you are NEVER going to filter for * and pipe it all to Restore-ADObject like this, you are going to want a single item in most cases. So by using the filters, and piping to fl using:

Get-Adobject -SearchBase "CN=Deleted Objects,DC=2008beta,DC=com" -IncludeDeletedObjects -ldapFilter "(objectClass=user)" fl

I am returned with:

Now, I can take my idea from Niraj's blog and use this single GUID to restore the object:

I can now F5 my ADUC and see my test user in all it's glory!

Using the Windows 2008 R2 Active Directory Recycling Bin

So let's see how that Recycle Bin works. First we need to enable it. It is good to note again. You cannot enable this unless all your DC's are windows 2008 R2 and you raise your forest functional level to 2008 R2. For me in the lab, this is simple, in a real environment, this takes days and weeks of planning and effort to get to this step!

Some generic information about this feature:

• Deleted items are retained for up to 180 days by default. I imagine that this can be edited to be shorter or longer somehow, but I was not able to find this.
  
• You can view and restore items using either LDP or Powershell, but I was NOT able to get Powershell to work. More on that below.
  
  

From this article:
http://technet.microsoft.com/en-us/library/dd379481.aspx

There are two ways to add the Recycle Bin. Powershell or LDP as specified in that article. I like powershell a LOT, so I will go with this. Keep in mind, "regular" powershell will not recognize these commands, you need to choose to use the AD powershell from under your administrative tools.

So I guess it's time to put on my silly admin hat.

Create a new user:

Much more information on a single screen here now:

Do note the "Protect object from accidental deletion" If you google this, you will see it actually has NOTHING to do with the AD recycle bin, its a pre-existing feature.

So first, we need to use LDP to view the recycle bin as per this article: http://technet.microsoft.com/en-us/library/dd379509.aspx

Here, I have connected and bound and am opening tree view:

And then I can see the deleted objects:

So let's delete an unfortunate soul:

After doing this, I can refresh the LDP window and see this:

So we right click the user and choose Modify:

So we are presented with the modify dialog, and I added "isDeleted" and selected delete:


Then hit Enter:

Then, enter distinguishedName and for the value, put the original DN of the object and choose replace.

Then hit enter. Clearly here, you are building a list of changes to be performed to undelete the object.

Most importantly, check the "extended" check box. Then you can hit run.

The screen will stay up, but you can view the main LDP window to see the status of this change:

Then, refresh your AD Administrative Center, and our "Test User" object is there again!

Now, let's nuke him again and restore him from Powershell!

This is where I seemed to hit a glitch of some sort:

From the Microsoft Help page:

Obviously, the command should be "Get-ADObject -filter" but hey missed a space there. This code will not work for me. Actually, even if I do "get-ADObject" with no parameters, I should get back a long list of objects. Instead I get this. Granted, this is beta code, and I might be missing something, but I couldn't get this working as cleanly as the LDP instructions above. I guess it's a good thing there are more than one way to recover these!

I later solved this issue in another post on recovering objects using Powershell.

Implementing a Windows 2008 R2 domain controller

Since I already have a home 2008 domain that has some production work in it, I opted to install a new forest and domain for beta code, so that if I did break anything or need to rip R2 beta out, it won't affect other services. Once this OS releases, I will definitely be migrating to it at home and will review the 2008 to 2008 R2 upgrade process some more.

Run Dcpromo from Start-Run and this ran for a short while, but that might be because I allocated hardly any RAM to this box :)

Advanced Mode� I like the sound of that!

And we get this glorious warning about security.

After reading up at http://go.microsoft.com/fwlink/?linkId=104751, there is a workaround if you do experience any of the symptoms of this. So I will press on:

I went with a simple and easy to remember name, that I likely will never use again on this blog, unless I do additional 2008 R2 features on this domain.

This then checks DNS and Netbios for existing names that would conflict, then prompts you for the NETBios name (yes, still, with the netbios, but a fair amount of things still rely on it!)

Now, the Forest Functional Level (FFL)

I of course chose the R2!

Time to delve into the reviewers guide for what features are unlocked with the 2008 R2 Forest Functional Level, which contains everything 2008 did, plus the AD Recycle Bin, which when enabled provides the ability to restore objects without stopping AD and doing a Directory Restore.

For more on the AD Recycle bin, check out: http://blogs.technet.com/activedirectoryua/archive/2009/01/30/introducing-active-directory-recycle-bin.aspx

Of course, choosing the R2 Forest functional level means I would also be doing the 2008 R2 domain functional level. This includes all previous DFL features, plus Authentication Mechanism Assurance. You can read more about this feature here:
http://blogs.technet.com/activedirectoryua/archive/2008/11/21/authentication-mechanism-assurance-in-windows-server-2008-r2.aspx

Once past the FFL screen, we are asked what other DC options to install with. Being the first DC in a new forest, I cannot choose much here. I do wonder why I would even be given the option to not install DNS.

I had set a static IPv4 address, but left IPv6 using dynamic addressing, so I got a warning:

I chose to ignore this for now, and chose YES.

Accepted the default storage locations, and then set my DSRM password:

I was *really* hoping that "advanced" let me choose a different site name than "Default-First-Site-Name" this time around. Oh well. I think if it was an option here, far fewer installations would be scared to change this.

A quick review of my settings, and we are OFF:

I really like the reboot checkbox, so I checked the box. This is really nice to have, especially if you were bringing up new DC's en masse for a larger existing domain and didn't want to have to keep checking on it.

Once rebooted, I see a new MSC, the "Active Directory Administrative Center"

My stars, this looks very different!

Oh wait, there's what looks more familiar..

Next post will cover USING the recycle bin!