locked
Redepoly CA RRS feed

  • Question

  • Hi 

    I backup the CA that was installed on our DC 2008r2 box, I successfully migrated the FSMOs roles and migrarted DHCP, demoted all 4 of our 2008R2 domain controllers and now have 4 x 2019 domain controllers.

    I am now trying to reinstall the CA on new box win 2019 solely for CA but I am receiving the following error - at the minute I am practicing this part lab not on the production enironment-  is this the problem should i just do this on the production enironment?

     

    ran the following cmd certutil –getreg CA\CRLPublicationURLscer

    John



    • Edited by jbcom41 Friday, June 26, 2020 1:23 PM
    Friday, June 26, 2020 1:19 PM

Answers

  • In the Lab manged to restore the CA following the instructions from

    we support only official migration process which is described in Active Directory Certificate Services Migration Guide. If you follow other articles, then you may need to contact corresponding article's author for further assistance.

    I've migrated ADCS using official guide multiple times and can confirm that it is correct if you follow it correctly.

    some resources are stating you have to go from 2008R2 CA > 212CA then to 2019 CA??

    it is OS in-place upgrade support restriction. If you do in-place OS upgrade, then you have to follow this path. CA role alone can be directly migrated from Windows Server 2008 R2 to Windows Server 2019.


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Sunday, June 28, 2020 7:57 PM

All replies

  • "CRLPublicationURLscer" isn't valid configuration property. Valid one is "CRLPublicationURLs". But in any way, it seems that you incorrectly migrated CA.

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Friday, June 26, 2020 6:20 PM
  • The command is wrong. You mean maybe: certutil –getreg CA\CRLPublicationURLs
    But I don't know why you need this for redeploying.

    Write down the steps you are planning in detail and then you can be helped better.

    How exactly did you backup your CA before? Cert+ Privatekey + db + Registry + CAPolicy.inf?

    Best regards,

    Jochen

    Friday, June 26, 2020 6:27 PM
  • Hi 

    I backed up the Cert + Privatekey + Reg files see images below, I will try again in a lap environment before I do it in the production environment.

    I did not backup the CAPolicy.inf file but I can get this, as I have a backup copy of the old DC before I decommissioned it. 

    Do I need the CAPolicy from the old CA Server??

    I did notice that the old CA was only handing out certificates to only the 4 old DCs and the initial first new DC - was thinking if this is the case and the 4 DCs are now defunct can I just install a new CA from fresh? 






    • Edited by jbcom41 Saturday, June 27, 2020 12:25 PM
    Saturday, June 27, 2020 11:39 AM
  • Hi

    Cant seem to locate the C:\Windows\CAPolicy.inf on the old CA ?? 


    Sunday, June 28, 2020 10:03 AM
  • Hi 

    In the Lab manged to restore the CA following the instructions from

    https://kevinstreet.co.uk/category/certificate-authority/

    But when trying to restart the CA I receive the following error message -  File not found 0xc8000713 (ESE:-1811 JET_errFileNotFound)

    Any ideas, some resources are stating you have to go from 2008R2 CA > 212CA then to 2019 CA?? but conflicting information online?? 

    Any information would be greatly appreciated?? 

    Kind Regards

    John 






    • Edited by jbcom41 Sunday, June 28, 2020 1:09 PM
    Sunday, June 28, 2020 11:54 AM
  • In the Lab manged to restore the CA following the instructions from

    we support only official migration process which is described in Active Directory Certificate Services Migration Guide. If you follow other articles, then you may need to contact corresponding article's author for further assistance.

    I've migrated ADCS using official guide multiple times and can confirm that it is correct if you follow it correctly.

    some resources are stating you have to go from 2008R2 CA > 212CA then to 2019 CA??

    it is OS in-place upgrade support restriction. If you do in-place OS upgrade, then you have to follow this path. CA role alone can be directly migrated from Windows Server 2008 R2 to Windows Server 2019.


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Sunday, June 28, 2020 7:57 PM

  • Hi,
    Thanks Vadims for the advice!

    Just want to confirm the current situations.
    If there's anything you'd like to know, don't hesitate to ask.

    Best Regards,
    Fan

    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 29, 2020 5:38 AM
  • Hi

    As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.

    Again thanks for your time and have a nice day!

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 1, 2020 7:51 AM