Moving the KM Server from One Site to Another

It is recommended that you do not move the KM Server to another server in the same site because of the critical information kept in the key management database.

The original KM server disk is needed because it contains the 64-bit encryption key for the archive database. Because the data that is being moved was created with this encryption key, the encryption key needs to be present to issue and revoke certificates in the new location. If the original disk containing the encryption key is not used, new security keys must be issued for all users in the organization.

Before moving a KM server to another server, you should back up the key management database on the Microsoft Exchange Server computer that hosts the KM server. Also, you must stop the Microsoft Key Management service using the Services option in Control Panel. You must then complete the following procedures.

1. Run the Microsoft Exchange Server Setup program and remove the key management server component.
This removes the KM server components, but retains the KM server directory and the key management database.
2. On the Microsoft Exchange Server computer that will host the KM server, run the Microsoft Exchange Server Setup program, and select the key management server component.
3. Use the Services option in Control Panel to stop the Microsoft Key Management service.
4. Restore the advanced security data on the server where you previously had the KM server.
5. Place the original KM server disk (from the original installation of the KM server) in the A drive and start the Microsoft Key Management service. You can also start the Key Management service from the command line.
6. After allowing for replication to occur within your organization (this could take several hours depending on your topology), configure advanced security features in the other site using the Site Encryption Configuration object.