Tag Archives: ca

CA Migration

I’ve recently migrated my 2003 DC’s CA to a non-dc 2008r2 server. Everything went surprisingly well. It’s pretty easy. Folow MS’s directions which are basically, backup the CA Database from the MMC, backup the registry. Remove the CA. Install the CA. Restore the database. Fiddle around a bit.


The only issue I had is the CRL. THe old crl was at http://oldca and removing the CA role removes this website. Although the CRL is in AD, it won’t get updated by the new CA.  I found this fantastic article which helped immensely with sorting out the CRL. The http one won’t work, but the AD one is good enough (I hope). Just a few points on the article that I didn’t notice, its ldap:/// not ldap:// (three / ) so make sure you type it correctly! I think the whole path is case sensitive too. If “publish crl” is greyed out after you’ve entered the information, you’ve typed something wrong.


As you may be aware I’ve been experiementing with SCCM recently. I’m finding it amazing. I’ve not been on a course for this so to say it is daunting is a huge understatement. The myriad configuration options are enough to scare anyone off, but once you grasp the basic concepts of advertisements, packages and collections, life becomes easier. I’d recommend taking it one step at a time. Get one item configured and working before progressing onto the next.

Regarding that, the PC I’m testing on has intels “VPro” architecture. I really had no idea what this was until I had a cause to use it. Basically, for those of you with HP servers, it’s like a very cut down desktop version of an ILO. No remote console viewing or anything fancy. I can reboot the machine (in a hardware way), view some information on the settings and specifiy a boot image for recovery perhaps. I see it being quite useful but it’s a big of a pain to configure initially. Like msot things in SCCM, getting it do thing NOW is quite hard. As its intended to be used in a huge enterprise, everything happens in a scheduled fashion.

With this in mind, here is a basic list of what you will need. I used our own internal CA, to provision it, which makes things a little more difficult. Mainly because I spent a lot of time wondering why it didn’t work. Here;s a hint. If you are using your own internal CA for AMT provisioning, you must go into the AMT screen via ctrl+P (on my HP) and enter the hash (thumprint) of the CA Root certificate. You can USB provison them, you will need to download Intels AMT SDK http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/and the USB key provisioning tool http://communities.intel.com/docs/DOC-1430 You make the .bin file with the program in the SDK thusly:

usbfile -create c:\setup.bin admin S3curepw! -hash c:\root-ca.cer “MY CAs Hash”

Obviously change the bits above to suit your environment. You can then format the usb key with the tool, give it the .bin file and boot from the usb key to provision the PC. After a while, assuming SCCM has been setup correctly, it will discover the AMT and it will be configured for you to use.