none
Migrate Active Directory Certificate Services Root and Subordinate, which first

    Question

  • I am working on a project to upgrade / migrate my 2008 R2 CA to 2012. I have a Enterprise Root CA and a Subordinate CA. I am following the standard migration plan of standing up 2 new servers and backing up the CA, removing the ADCS role, demote server, change server to workgroup, then on new server change host name to source CA, join domain, install ADCS, restore CA.

    The question is which CA do I do first the Root CA or the Subordinate CA, or does it matter since they will have the same host names as before?

    Friday, October 11, 2013 9:28 PM

Answers

  • For anyone else out there, I found the steps in this operation is to backup and remove the subordinate CA first, then change the membership to a workgroup, then do the same to the root CA. Followed by joining the new server to the domain and installing the root CA and restore the backup followed by the subordinate CA.
    Friday, March 14, 2014 6:33 PM

All replies

  • Hi,

    Based on my research, a root CA certificate is the first AD CS role service which has been installed generally. After a root CA has been installed, one or more subordinate CAs can be installed  to implement policy restrictions.

    In addition, If the root CA is an offline standalone root CA and you are migrating an offline standalone subordinate CA, the root CA certificate and current root CRL are required for the subordinate CA to function.

    For more detailed information about AD CS migration, please refer to the link below:

    Active Directory Certificate Services Migration Guide

    http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

    Best regards,

    Susie

    Monday, October 14, 2013 9:54 AM
  • Hi,

    Any updates?

    Please feel free to contact us if you need further assistance.

    Best regards,

    Susie

    Thursday, October 17, 2013 1:12 AM
  • I have not gotten an answer yet. The technet article does not have any information about what to do with a root and subordinate. I will be doing the root first in the coming weekend, migrating both servers during the same window. I would like to assume that a windows 2012 root ca will work with a 2008 r2 subordinate. These are Active Directory Enterprise certificate authority servers.
    Thursday, October 17, 2013 1:36 AM
  • Hi,

    Thanks for you reply.

    I would be appreciate if you can give feedback to us after your action.If you need further assistance, please don't hesitate to let us know.

    Best regards,

    Susie

    Friday, October 18, 2013 3:07 AM
  • For anyone else out there, I found the steps in this operation is to backup and remove the subordinate CA first, then change the membership to a workgroup, then do the same to the root CA. Followed by joining the new server to the domain and installing the root CA and restore the backup followed by the subordinate CA.
    Friday, March 14, 2014 6:33 PM