none
Certificate Role Services Migration Question RRS feed

  • Question

  • My experience with certificate services is extremely limited and I am currently attempting to plan a migration from 2008 R2 to 2016.  My setup currently consists of three servers.

    1. CER-01: Holds Certification Authority and Certification Authority Web Enrollment.
    2. CER-02: Holds Certification Authority, Certification Authority Web Enrollment, Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service.
    3. CER-03: Holds Network Device Enrollment Service.

    I did find the following article, which was a helpful read on migration.  However, it doesn't appear to cover a similar setup to what is currently in my environment.  This leaves me with the following questions.

    1. I am fairly confident that CER-02 is subordinate of CER-01.  When I look at the roles, I expand Active Directory Certificate Services -> Enterprise PKI and see my CER-01.  If I expand out that server, I see the second server.  Is there something I need to backup and then restore on that server?  Do I simply bring that server down and configure a new subordinate after backing up and restoring CER-01?
    2. Is there anything that I need to save or backup from CER-03 to get the Network device enrollment service up and running or do I just install the role on a new server and it's done?
    3. Are there any other tips/tricks to doing any of this?

    Thank you in advance for any assistance or information.

    lundi 21 octobre 2019 15:21

Toutes les réponses

  • The article you find out is the best one for Migrating The Active Directory Certificate Service, just follow it.

    About your questions:

    1. Do I simply bring that server down and configure a new subordinate after backing up and restoring CER-01?

    Yes, you do.

    2. Is there anything that I need to save or backup from CER-03?

    No, by default, Network Device Enrollment Service obtains its service certificates based on the CEP Encryption and Enrollment Agent (Offline) certificate templates. These templates do not allow the export of private keys by default, so you will be unable to back up the certificate with its private key by default. If you have a need to recover NDES, you can reinstall the service or install NDES on another computer.

    3. Are there any other tips/tricks to doing any of this?

    No, the article has told enough.

    A older one, same content but you could check the comments below, they are meaningful.

    https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mardi 22 octobre 2019 02:11