As businesses look at phasing out legacy Windows Server versions, core services may need to be moved or migrated to new Windows Server versions. One service you may need to move is Active Directory Certificate Services (AD CS). Let's see how to migrate AD CS from Windows Server 2008 R2 to 2019.

The migration of AD CS to a new server involves the following tasks:

  1. Back up the current AD CS server CA database and configuration.
  2. Back up the current AD CS server registry key.
  3. Remove the AD CS role from the current Windows Server.
  4. Install the AD CS role on your new Windows Server.
  5. Restore the backup configuration and registry key on the new AD CS server.

To follow the steps below, you need to be running Windows Server 2008 R2 or higher. If you are on Windows Server 2008, you will need to upgrade to Windows Server 2012 before proceeding.

Windows Server 2008 R2 AD CS server

Windows Server 2008 R2 AD CS server

1. Back up the current AD CS database and configuration ^

The process to back up your current AD CS server CA database and configuration is straightforward. It can be accomplished using the AD CS management console or the certutil command-line utility in Windows Server 2008 R2.. In the console, under Administrative Tools > Certification Authority, right-click the server name and select All Tasks > Back up CA.

Beginning the backup process for AD CS in Windows Server 2008 R2

Beginning the backup process for AD CS in Windows Server 2008 R2

Select this option to start the Certification Authority Backup Wizard. Click Next.

The AD CS backup wizard begins

The AD CS backup wizard begins

On the next screen, select the items to back up. Select the Private key and CA certificate and the Certificate database and certificate database log options. Finally, enter a path in the Back up to this location box.

Select the items to back up and the backup location

Select the items to back up and the backup location

You will see a dialog box asking to create the directory. Click OK.

Enter the password for the AD CS backup

Enter the password for the AD CS backup

Enter a password to secure the private key and the CA certificate file.

Enter the password for the AD CS backup

Enter the password for the AD CS backup

The AD CS backup wizard is completed successfully.

Finish the backup of AD CS

Finish the backup of AD CS

Using the certutil command, you can perform the same operation with the following:

certutil -backup c:\<path to backup>`

You will be asked to enter and confirm the password for the AD CS backup.

Back up AD CS using the certutil command

Back up AD CS using the certutil command

2. Back up the AD CS server registry key ^

The next step is to back up the CertSvc key located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc

Why is this necessary if we have backed up the private key and the certification authority database? The registry key contains the Certification Authority configuration settings, such as the CRL and AIA locations. To back up the registry key, open regedit and perform the following steps:

  1. Navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc.
  2. Right-click CertSvc and select Export.
Exporting the Active Directory Certificate Authority CertSvc registry key

Exporting the Active Directory Certificate Authority CertSvc registry key

3. Remove the AD CS role from the current Windows Server ^

Next, remove the AD CS role from the server hosting AD CS.

Exporting the Active Directory Certificate Authority CertSvc registry key

Exporting the Active Directory Certificate Authority CertSvc registry key

Confirm the removal of the AD CS role service.

Confirm removal selections in the Remove Server Role wizard

Confirm removal selections in the Remove Server Role wizard

After the role is removed, you will need to restart the AD CS server.

Removal complete restart the server

Removal complete restart the server

4. Install the AD CS role on your new Windows Server ^

Since the role is removed from the old Windows Server, we can install it on the new. On the new Windows Server, open Server Manager, select the server, and click Next.

Beginning the Add Roles and Features Wizard to add AD CS

Beginning the Add Roles and Features Wizard to add AD CS

Select the Active Directory Certificate Services checkbox.

Select Active Directory Certificate Services

Select Active Directory Certificate Services

Add the required features.

Add features required for AD CS

Add features required for AD CS

Click Next on the Select features screen.

Select features in the Add Roles and Features Wizard

Select features in the Add Roles and Features Wizard

Click Next on the AD CS Overview screen. Add the AD CS role services. Here, I am selecting:

  • Certification Authority
  • Certificate Enrollment Policy Web Service
  • Certificate Enrollment Web Service
  • Certification Authority Web Enrollment
Adding the role services to install for AD CS

Adding the role services to install for AD CS

Click Next on the Web Server Role (IIS) screen.

Web Server Role IIS overview

Web Server Role IIS overview

Install the services you need for your environment. Here, I leave the defaults selected.

Select the role services needed for Web Server Role IIS

Select the role services needed for Web Server Role IIS

Confirm the installation of roles and role services.

Confirm installation of CS

Confirm installation of CS

The installation is successful.

Installation of CS is successful in Windows Server 2019

Installation of CS is successful in Windows Server 2019

If you try to open the Certification Authority management console on the new server before finishing the configuration in Server Manager, you will see the error below. It simply means you need to finish the setup of AD CS.

Certification Authority management console error

Certification Authority management console error

Run the post-deployment configuration of AD CS.

Launching the post deployment task for CS

Launching the post deployment task for CS

On the post-deployment page, enter the credentials for configuring role services.

 

AD CS configuration credential

AD CS configuration credential

You won't be able to configure services other than the Certification Authority. So you must first configure the Certification Authority and then go back and configure the Web Service.

Configure AD CS role services

Configure AD CS role services

Choose Enterprise CA.

Specify the setup type of the CA

Specify the setup type of the CA

Choose Root CA.

Specify root or subordinate CA

Specify root or subordinate CA

Here, select Use existing private key.

Use existing private key during the configuration of AD CS

Use existing private key during the configuration of AD CS

Select your existing private key created in your legacy AD CS server backup. Copy this to your server beforehand so you have access to the key. Click Import.

Import the existing certificate for the CA

Import the existing certificate for the CA

Browse to the key. Enter the password used to back up the key and AD CS configuration.

Specify the file name and password for the existing certificate

Specify the file name and password for the existing certificate

Click the certificate name. You can also select the "Allow administrator interaction when the private key is accessed by the CA" option as a security enhancement. This checkbox enables strong private key protection. With this selected, you will have to enter administrator credentials each time a private key is used, when a new certificate or CRL is issued, or when the service starts.

Verify the imported certificate

Verify the imported certificate

Choose the location for the CA database.

Select the database location for AD CS

Select the database location for AD CS

Review the configuration.

Confirmation of the AD CS install operation

Confirmation of the AD CS install operation

The configuration is successful.

Installation and configuration succeeded for AD CS services on the new Windows Server

Installation and configuration succeeded for AD CS services on the new Windows Server

You will be prompted to finish an additional post-deployment configuration. You can go back into the post-configuration wizard and configure the web services portion of the new server.

Configure additional Certification Authority role services

Configure additional Certification Authority role services

Review the CA for Certificate Enrollment Web Services.

Configure additional Certification Authority role services

Configure additional Certification Authority role services

The configuration is successful.

After configuration of the AD CS Web Services

After configuration of the AD CS Web Services

5. Restore the backup configuration and registry key on the new AD CS server ^

Now, let's restore the backup taken from the Windows Server 2008 R2 server. Stop the AD CS service to restore the AD CS backup.

Stop the AD CS service before restoring

Stop the AD CS service before restoring

Choose Restore CA.

Restore the CA from the Certification Authority console

Restore the CA from the Certification Authority console

This begins the Restore Wizard.

Beginning the AD CS restore wizard

Beginning the AD CS restore wizard

Select the checkboxes for Private key and CA certificate and Certificate database and certificate database log. In addition, choose the folder from which to restore.

Choose the items to restore and the location from which to restore them

Choose the items to restore and the location from which to restore them

Provide the password used during backup.

Enter the restore password for the backup

Enter the restore password for the backup

Click Finish to complete the restore wizard.

Completing the AD CS restore wizard

Completing the AD CS restore wizard

Select No to the prompt to start the service. We need to restore the registry key.

Restore finished prompt for service restart

Restore finished prompt for service restart

Browse to the registry key backup you created from the original AD CS server. Right-click and select Merge.

Merge the registry key from the old Active Directory Certificate Services server

Merge the registry key from the old Active Directory Certificate Services server

After the registry merge is successful, start the AD CS service.

Start the AD CS service on the new AD CS server

Start the AD CS service on the new AD CS server

At this point, you should be able to see the new Active Directory Certificate Services server running without issue, as well as your issued certificates and other information as it was before the server migration. Due to the restore, the CA configuration will retain the CA name of the former server.

The new Certificate Services Server maintains the name of the old AD CS server

The new Certificate Services Server maintains the name of the old AD CS server

Wrapping up ^

Migrating from an older Windows Server running AD CS is not too difficult if you first up the files needed and restore them after the role service is installed on the destination server.

Subscribe to 4sysops newsletter!

It allows decommissioning legacy servers that are no longer supported by Microsoft and remaining in a supported condition with a core infrastructure service.

+1
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account