I followed your steps to migrate the CA and it all went swimmingly… or so it seemed, until I realized that all of the existing certificates now have invalid CDP paths. I recently moved a domain off an old SBS 2011 server to 2012R2 Standard. Hi Pete, echo everyone else’s thanks for a clear, concise article/video and for taking time to answer follow-up questions. See Restoring AD CS to the source server in the event of migration failure. Restores the source CA if migration fails and performing a rollback is required. Therefore, reinstalling the CA role service on the source server The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation. Removing theĬA role service also removes the CA’s configuration data from AD DS. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. p7b extension.) > Enter the password > OK > Select the Cert > Next. > Select ‘ Use existing private key‘ > Select ‘ Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a. Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next. Warning > Configure Active Directory Certificate Services > Next. * Note: I’ve written about all these role services before, just use the search function, (above), if you are unsure what they all do. Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.įor now let’s just stick with the Certification Authority > Add the other role services later* > Next. Server Manager > Add Roles and Features > Next. Setup Certificate Services on the Target/New Server REMOVE all the CA role services > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next. Server Manager > Manage > Remove Roles and Services > Next. Now we need to uninstall CA Services from this server. HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > Įxport a copy of this key, (save it in the same folder that you backed up to earlier). Now we need to take a backup of the Registry key that holds the information for this CA server. The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish. On the ‘ Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA. If you don’t, the database wont mount and you will get this error. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.Ĭan I migrate from Server 2008 (NON R2) to 2016 (or newer): Yes, but not directly, you need to upgrade to Server 2012 R2 first. In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of? If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.īE AWARE: We are moving the CA Server Name, NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that’s what we are going to move.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |