- CodeTwo: Centrally manage email signatures for Microsoft 365 - Tue, Jul 27 2021
- Setting up a Windows 10 PC using Autopilot - Mon, Jul 26 2021
- Manage encrypted PCs remotely using BitLocker Network Unlock - Mon, Jul 19 2021
The migration of AD CS to a new server involves the following tasks:
- Back up the current AD CS server CA database and configuration.
- Back up the current AD CS server registry key.
- Remove the AD CS role from the current Windows Server.
- Install the AD CS role on your new Windows Server.
- Restore the backup configuration and registry key on the new AD CS server.
To follow the steps below, you need to be running Windows Server 2008 R2 or higher. If you are on Windows Server 2008, you will need to upgrade to Windows Server 2012 before proceeding.
1. Back up the current AD CS database and configuration ^
The process to back up your current AD CS server CA database and configuration is straightforward. It can be accomplished using the AD CS management console or the certutil command-line utility in Windows Server 2008 R2.. In the console, under Administrative Tools > Certification Authority, right-click the server name and select All Tasks > Back up CA.
Select this option to start the Certification Authority Backup Wizard. Click Next.
On the next screen, select the items to back up. Select the Private key and CA certificate and the Certificate database and certificate database log options. Finally, enter a path in the Back up to this location box.
You will see a dialog box asking to create the directory. Click OK.
Enter a password to secure the private key and the CA certificate file.
The AD CS backup wizard is completed successfully.
Using the certutil command, you can perform the same operation with the following:
certutil -backup c:\
You will be asked to enter and confirm the password for the AD CS backup.
2. Back up the AD CS server registry key ^
The next step is to back up the CertSvc key located at:
Why is this necessary if we have backed up the private key and the certification authority database? The registry key contains the Certification Authority configuration settings, such as the CRL and AIA locations. To back up the registry key, open regedit and perform the following steps:
- Navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc.
- Right-click CertSvc and select Export.
3. Remove the AD CS role from the current Windows Server ^
Next, remove the AD CS role from the server hosting AD CS.
Confirm the removal of the AD CS role service.
After the role is removed, you will need to restart the AD CS server.
4. Install the AD CS role on your new Windows Server ^
Since the role is removed from the old Windows Server, we can install it on the new. On the new Windows Server, open Server Manager, select the server, and click Next.
Select the Active Directory Certificate Services checkbox.
Add the required features.
Click Next on the Select features screen.
Click Next on the AD CS Overview screen. Add the AD CS role services. Here, I am selecting:
- Certification Authority
- Certificate Enrollment Policy Web Service
- Certificate Enrollment Web Service
- Certification Authority Web Enrollment
Click Next on the Web Server Role (IIS) screen.
Install the services you need for your environment. Here, I leave the defaults selected.
Confirm the installation of roles and role services.
The installation is successful.
If you try to open the Certification Authority management console on the new server before finishing the configuration in Server Manager, you will see the error below. It simply means you need to finish the setup of AD CS.
Run the post-deployment configuration of AD CS.
On the post-deployment page, enter the credentials for configuring role services.
You won't be able to configure services other than the Certification Authority. So you must first configure the Certification Authority and then go back and configure the Web Service.
Choose Enterprise CA.
Choose Root CA.
Here, select Use existing private key.
Select your existing private key created in your legacy AD CS server backup. Copy this to your server beforehand so you have access to the key. Click Import.
Browse to the key. Enter the password used to back up the key and AD CS configuration.
Click the certificate name. You can also select the "Allow administrator interaction when the private key is accessed by the CA" option as a security enhancement. This checkbox enables strong private key protection. With this selected, you will have to enter administrator credentials each time a private key is used, when a new certificate or CRL is issued, or when the service starts.
Choose the location for the CA database.
Review the configuration.
The configuration is successful.
You will be prompted to finish an additional post-deployment configuration. You can go back into the post-configuration wizard and configure the web services portion of the new server.
Review the CA for Certificate Enrollment Web Services.
The configuration is successful.
5. Restore the backup configuration and registry key on the new AD CS server ^
Now, let's restore the backup taken from the Windows Server 2008 R2 server. Stop the AD CS service to restore the AD CS backup.
Choose Restore CA.
This begins the Restore Wizard.
Select the checkboxes for Private key and CA certificate and Certificate database and certificate database log. In addition, choose the folder from which to restore.
Provide the password used during backup.
Click Finish to complete the restore wizard.
Select No to the prompt to start the service. We need to restore the registry key.
Browse to the registry key backup you created from the original AD CS server. Right-click and select Merge.
After the registry merge is successful, start the AD CS service.
At this point, you should be able to see the new Active Directory Certificate Services server running without issue, as well as your issued certificates and other information as it was before the server migration. Due to the restore, the CA configuration will retain the CA name of the former server.
Wrapping up ^
Migrating from an older Windows Server running AD CS is not too difficult if you first up the files needed and restore them after the role service is installed on the destination server.
Subscribe to 4sysops newsletter!
It allows decommissioning legacy servers that are no longer supported by Microsoft and remaining in a supported condition with a core infrastructure service.