This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADCS Migration from 2008R2 to 2019

Question
0

Sign in to vote

Hello,

I have a task to perform ADCS migration from Windows 2008R2 to windows 2019. I have gone through some migration strategy articles however would like inquire on the strategy that would suit my environment as below:-

The current architecture is as below:-

1. One Offline Root CA (not joined to domain)

2. 4 Intermediate CA (joined domain)

Since they are many clients are relying to the certificates which was rolled out. Are we able to migrate all the servers from Windows 2008 R2 to Windows 2019 without the need to reissue the cert to the clients? As they tons of web apps and services which are relying on the certificates.

I would like to have this deployment in order so that there will not issues of certificate where the chains will be broken. The objectives are as below:-

1. CA name will be the same

2. IP address of the CA server will be different

3. Hostname of the CA server will be different.

I have read that CA name must be the same when performing migration. I would like to know the correct flow to carry out this task. There are some clarification needed like, which one to start first, is it offline root Ca first or the intermediate CA server first?

Thank You

Regards,

Surnder

Monday, July 20, 2020 9:11 AM

All replies

0

Sign in to vote

Hi,

since your primary objective is not to have to reissue certificates, you need to migrate the CAs but keep the CAs' identities (in terms of their respective CA certificates and chains). The easiest way to accomplish this is, of course, an in-place upgrade (this is by no means a recommendation, just acknowledging a fact ;-) ). The other objective (host name changes) will not be reached by this method.

Now from Microsoft's official standpoint, renaming a machine hosting a CA is not supported, no matter if an OS upgrade is involved in the process. However, this can be done, and the steps involved are relatively straightforward. You need to make sure that every device that needs to validate certificates will get at the CRLs via the old URLs, since they are stored in the certs themselves. For OCSP, it's obviously easy. For HTTP CDPs, it's straightforward, especially if they point to a common namespace and not to the CA machine. This takes care of the root CA. The enterprise subordinate may have a LDAP CDP, where you will have to give the new machine permissions to write to the old path (in the forest's configuration partition).

Most PKI upgrades begin with the root but in your case it doesn't really matter, as long as you don't have any other objectives you forgot to mention like upgrade from SHA-1 to SHA-2 or change the key length in the process ;-)
Evgenij Smirnov

http://evgenij.smirnov.de

Monday, July 20, 2020 10:16 PM
0

Sign in to vote
Hello,
Thank you for posting here.

We can migrate from the root CA like creating a new two-tier CA. That is, migrate the root CA first, and then migrate the sub-CA.

Considerations for migrating a CA to a new machine:

1. When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

2. By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

3. During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.

For more information about CA migration steps, we can refer to the link below.
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Performing the Upgrade or Migration
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

AD CS Migration: Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

This "Migration" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Migration" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Migration" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
- Edited by Daisy ZhouMicrosoft contingent staff Tuesday, July 21, 2020 2:49 AM
Tuesday, July 21, 2020 2:47 AM
0

Sign in to vote
Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Migration" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Migration" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
- Edited by Daisy ZhouMicrosoft contingent staff Friday, July 24, 2020 5:44 AM
Friday, July 24, 2020 5:44 AM
0

Sign in to vote
Hi,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Migration" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Migration" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
- Edited by Daisy ZhouMicrosoft contingent staff Monday, July 27, 2020 3:16 AM
Monday, July 27, 2020 3:16 AM
0

Sign in to vote

Hi Daisy,

Thank you.

As per my reading as well, it is suggested to migrate the root CA first which you are recommending as well. I am about to do that this week and would like to know the details.

1. Since the root CA is not joined domain and as backup. I would like to retain the old root CA just incase if the migration is having issues. If the migration is successful, then I will decommission the old root CA server. The new root CA will have new hostname and IP address but the CA name will be the same.

2. Another question will be, since there are phases involve for the migration where by the current root CA and the intermediate CA is on Windows 2008R2. Since we are going to start over with the root CA first, will they be any issues if the new Root CA migrated to windows 2019 and the existing intermediate CA is on 2008R2?. After the root CA is done, we will be moving to the intermediate where at the transition period of migration, the CA will be coo exits with windows 2019 and windows 2008R2. will it cause any issues?

3. I believe there is minimum impact on the root CA and will not cause any downtime for the client since the client is connected to the intermediate CA and not the root CA directly. Once the root Ca is migrated to windows 2019. should we login to all the intermediate CA to tell or change some setting to inform the intermediate CA that the root CA has been changed. Will it cause to break the chain or trust?

Thank You

Peter

Sunday, August 2, 2020 3:22 PM
0

Sign in to vote

Hi Daisy,

By the way, I can see some error on the existing as per the pictures. It states that the cdp is expired. can we renew it before the migration

Peter

Sunday, August 2, 2020 3:24 PM
0

Sign in to vote

Hi Peter,

Yes, we should/had better fix all the errors before migration.

Republish the CRL and then refresh the PKIview.msc page above to see if there is any error.

We can retain root CA ans sub CA after we migration.
We had better migrate CA during downtime.
We had better migrate CA in test lab first.

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, August 3, 2020 8:53 AM