locked
PKI Server Migration from Windows 2008R2 to Windows 2019 RRS feed

  • Question

  • Hi,

    I have a server which holds Windows 2008R2 and has ADCS role installed to manage SHA1 certificates. We have few certificates which are still valid so I need to migrate the same to new supported version of OS.

    I have read multiple blogs however i didn't get clarity that I can migrate the server to  2012 and then 2016/2019 or can perform directly on 2019 OS.

    Tuesday, December 17, 2019 1:37 PM

Answers

  • Hi,
    No, I do not mean that.

    I mean we should back up CA from 2008 R2 and install Windows Server 2012 R2 Certificate Services, configure AD CS, restore CA, restore registry info, reissue Certificate Templates and test the CA on 2012 R2 CA server and ensure the PKI on 2012 R2 work fine. 

    For all the migration process, we can refer to the following article.

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2
    https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/

    Then we should back up CA from 2012 R2 and install Windows Server 2019 Certificate Services, configure AD CS, restore CA, restore registry info, reissue Certificate Templates and test the CA on 2019 CA server and ensure the PKI on 2019 work fine. 


    Tip: Each of the above small steps contains a lot of operations, please test it in the test environment first, so as to avoid problems in the production environment, or it can be better solved. If there are no problems in the test environment, we will operate in a production environment.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 19, 2019 5:56 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    From the article "Migrating AD Certificate Services from Windows Server 2008 to Windows Server 2016" (I used to be able to open it, but now i can not open the article link), I can see:


    Unfortunately we cannot migrate the CA database directly form Server 2008 to Server 2016 because the JET database engine changed so much between the two versions that if we restore the backup we get a JET version error at startup and the CA won't start.

    But if we add one more step we can successfully fulfill the above tasks. This additional step is to first restore the DB backup to a Server 2012 R2 CA and then backup the DB again form there. This new backup now can be restored to the Server 2016 CA.

    So I think we must migrate 2008 R2 CA to 2012 R2, then migrate it from 2012 R2 to 2016/2019.




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 18, 2019 3:15 AM
  • Hi,

    Restore and backup from 2012R2, here you mean to say that I just need to restore on windows 2012R2 server without configuring anything just to take the backup of it again?

    Wednesday, December 18, 2019 9:24 AM
  • Hi,
    No, I do not mean that.

    I mean we should back up CA from 2008 R2 and install Windows Server 2012 R2 Certificate Services, configure AD CS, restore CA, restore registry info, reissue Certificate Templates and test the CA on 2012 R2 CA server and ensure the PKI on 2012 R2 work fine. 

    For all the migration process, we can refer to the following article.

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2
    https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/

    Then we should back up CA from 2012 R2 and install Windows Server 2019 Certificate Services, configure AD CS, restore CA, restore registry info, reissue Certificate Templates and test the CA on 2019 CA server and ensure the PKI on 2019 work fine. 


    Tip: Each of the above small steps contains a lot of operations, please test it in the test environment first, so as to avoid problems in the production environment, or it can be better solved. If there are no problems in the test environment, we will operate in a production environment.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 19, 2019 5:56 AM
  • Got it, Thanks!!

    Thursday, December 19, 2019 10:37 AM
  • Hi,
    You are welcome. I’m very glad that the information is helpful. 

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Meanwhile, if my reply is helpful to you, we can mark it as answer, it will be helpful for people who are looking for similar question.

    Thank you very much! Have a nice day!




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 20, 2019 1:26 AM