Hello and thank you for the guide, such a huge help! In chapter 16 of the SBS 2011 to Server 2016 Migration guide you wrote:
"Why migrate the CA would you ask? One of the most important reasons to upgrade or migrate to newer operating system, is the ability to support newer hash algorithms and new cryptographic operations. As you already know, SHA-1..."
This SBS2011 client pushed SBS to the max with about 70 users. On the SBS2011 server, I had installed a third party SSL cert for Exchange and purchased/installed a new SSL Cert on the Exchange 2016 server that includes 20 FQDN for email and Windows 2016 AD/File server. Can I use that SSL instead of migrating our old SBS2011 CA?
To add more info: the SBS CA hasn't issued a certificate for 2 years (according to the CA manager) and even worse, it it's a mess with a lot of failed requests and all the issued certs have expired. So my second question is this, can I just create a new CA authority/certificate on the Windows 2016 server for internal use? Why migrate migrate something as messy as our SBS2011 CA? Could I just add the AD CS feature on 2016 server simply create new certs from scratch? What am I missing (do the client domain computers need a specific cert to log on that joined machine back into the domain)?
Thank you!
Mike
PS: I've already migrated to Exchange 2016 and uninstalled Exchange 2010 per your guide.
PPS: I need to get this done so I went ahead and began the chapter and followed the directions. However I'm not certain of the benefit since I'm using new certs on the new exchange server...anyway while RESTORING the CA from backup on the new 2016 server I got an error. The restored CA certificate has expired.
I assume it is too late to go back to the SBS 2011 since I followed the guide which said to remove AD CS services on the SBS2011 and reboot. So what do I do about this?
PPPS: It was very late here and I didn't ask the question properly. I asked: instead of " I assume it is too late to go back to the SBS 2011...?" what I was trying to ask is this: "I assume it to too late to go back to the SBS 2011 server and get the old SBS CA at this point since I've already removed AD CS per the guide and AD CS no longer exists on SBS 2011. So what's my next step? Can I just continue and skip this step?"
If you do not use the CA for EFS or in any Radius servers you can skip the migration of the CA. Let me know if you need extra help with this?
Hello Mariette, We do not use encrypting file service nor the Radius server. I completed the setup and the oldserver.domain.com is hanging out inside the new server's CA Manager but it is inactive. How would you handle this? Would you delete the oldserver.domain.com from the new server's CA Manager? Would you remove the AD CS role from the new server? On another positive note, the new server/domain is running well and it is fast (6 enterprise SSDs in a RAID 10 + 1 HS = about 7 GB/s read/write), thanks for your help!