none
active Directory certificate services issue during Migrate Domain controller from Windows 2008 R2 to Windows Server 2019 RRS feed

  • Question

  • Hi,

    I have a issue with Active Directory Certificate Services issue during demote the Windows 2008 R2 server.

    If I run dcpromo, I get the following message

    That means I have to remove the "Active Directory Certificate Services" first from Windows 2008 R2.

    I am sure our all certificate for exchange server 2013, scom, sccm server are running on that machine.

    Here are my questions:

    1) Can I backup the certificate of the windows 2008 R2 and Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc and add the role "Active Directory Certificate Services" on the Windows server 2019  and import the certificate, before remove the certificate from DC with windows 2008 R2?

    2) Could I add the roles "Active Directory Certificate Services"  on DC the Windows 2019 before backup the Certificate Services or remove the Certificate Services? If yes what happens?

    2) Could I have two Certificate Authority at the same time on the DCs Windows 2008 R2 and Windows 2019 server?

    3) Or I have to backup my Certificate Authority with Registry CertSvc and then remove the roles on the DC windows 2008 R2  and then add the role "Active Directory Certificate Services" on the DC windows 2019 and import from backup I created before?

    That is very importand for me because of Exchange 2013 server.

    Regards

    Nick

    Tuesday, November 12, 2019 10:00 PM

All replies

  • Can I backup the certificate of the windows 2008 R2 and Registry

    you could do that relatively easy when source and destination servers have same name (i.e. backup CA, remove server from domain, join new server to domain and restore from backup). If source and destination servers names differ, then you need to do additional steps to modify configuration in CA and DNS. Here is the migration procedure: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v%3Dws.11)

    Could I have two Certificate Authority at the same time on the DCs Windows 2008 R2 and Windows 2019server?

    yes. As long as CAs have different names (I mean the name that is shown in certificate)

    and then add the role "Active Directory Certificate Services" on the DC

    the whole problem is that it is highly recommended to NOT install any other roles on CA server. Especially, domain controller role. These servers are changed often and easily migrated. Unfortunately, CA service has a lot of various dependencies that make its migration an uneasy task.


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Wednesday, November 13, 2019 7:43 AM
  • Hi,

    Thanks for replay.

    I will do the following steps:

    1) Backup CA and Registry on the win 2008 R2 (the server is called SRV)

    2) remove the role ADCS from win 2008 R2(SRV)

        here my question: If I remove the role ADCS, what happens with exchange server, sccm ,scom 

        server? Because I dont have at th time no CA before I add the role ADCS on the win 2019

    3) demote the DC win 2008 R2 (SRV)

    4) dejoin the domain server win 2008R2 (SRV)

    5) install a new server win 2019 and join the domain and promote it

    5) install the role ADCS on the win 2019 and import the CA

    How can I import the "Certificate Templates"? I can list it, but how to import it to the win 2019?

    Should add or change in ADSIEdit on PKI?

    What is with Web Enrollment Service and Double Escaping? any change here on the win 2019 IIS?

    Do you know a other link for migration?



    • Edited by mpng2008 Wednesday, November 13, 2019 8:11 AM
    Wednesday, November 13, 2019 8:08 AM
  • Use the ADCS Migration Whitepaper I referenced in previous post. This whitepaper answers all your questions. You really should read it. There are no other links.

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Wednesday, November 13, 2019 9:01 AM
  • Hi,
    Thank you for posting in our TechNet forum.

    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 4:07 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:42 AM
    Moderator