«

»

Aug 28

Migrate AD CS from windows 2008 to Windows 2012 – Enterprise PKI

You probably have read through a bunch of articles on how this can be done and i hope ended up thinking that  “The Microsoft Way” ( http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx) is probably best.

Well , in a way it is,  but i had success doing only some of the steps in the migration guide. I can not guarantee this will work for you but this solution did not cause any downtime and the new CA stated issuing certificates immediately.

Here is my way:

I had a single forest,single domain  with a Enterprise PKI deployed on a domain controller (OldCA)  running windows 2008. The domain level is also windows 2008.
This DC had to be denoted and removed because it was running on old hardware. At the same time we planned to upgrade all DC’s to windows 2012.
The OldCA autoenrolled computer certificates to all computers and had issued certificates to several servers, most critical was the Lync2010 enviroment.

I wanted to migrate the Root CA (OldCA) to a new Domain Controller running win 2012 (NewCA). I did not want to use the same server name on the NewCA as the OldCA had (this is not recommended by Microsoft and i struggled with finding articles that confirmed this was possible).

First i used some of the steps from the Microsoft Guide to Backup the Configuration of the OldCA:
(detailed info about the steps: http://technet.microsoft.com/en-us/library/31eca881-0744-447a-ae7a-597310b9d9bf(v=ws.10)#BKMK_BackupSource)

1. Publish CRL with an extended validity period – right-click “Revoked Certificates” to check the period. (to publish a new CRL, right-click and choose Alltasks –>publish)
CRLvalidity

2.Backup CA database
backupCA
backupCA2
backupCA3

3. Copy the backup and Certificate file to the new server (and the registry export if you do step 4)

4. (optional) Export the registry settings from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration ,right-click configuration and choose “export”. (i do this in case i have to restore everything back on the OldCA if the migration does no succeed)
backupReg

Then , Install the Active Directory Certificate Services on the NewCA. (before you do this, make sure you have installed critical updates)

1. From Server manager –> Add roles and services
ADCS1
ADCS2
ADCS3

ADCS4 ADCS5 ADCS6 ADCS7
W
hen the install is finished click “Configure Active Directory on the destination server”

adcsconfig1

Configure AD CS 

UPDATE: Although it is possible to just stop Certificate Services on the OldCA, i recomend that you uninstall it. Then you wont get any trouble with denmoting the OldCA (if it is a DC)

1. Before you proceed with the configuration , stop and disable the Certificate service on the OldCA.
stopoldca1 stopoldca2

2. Proceed with the configuration

NB ! Use an AD account with “Enterprise Admin” rights.
adcsconfig2adcsconfig3adcsconfig4adcsconfig5adcsconfig6adcsconfig7adcsconfig8adcsconfig9adcsconfig10

When finished check AD CS is OK by opening the “Certification Authority” tool

ChecknewCA1

As you can see , the NewCA is up with the same CAname as the OldCA but it has a different server name (distinguished name) in AD.

To make sure it can issue certificates you can log on to a computer in the domain and use the “Certificates” snap-in in MMC to request a new certificate or renew an already issued certificate.
ChecknewCA2

or

renewcert

 

I did not restore the database from the OldCA on to the NewCA which means that you cant see which certificates that are issued from the OldCA. I will try to do a restore in my lab environment to see if it is possible.

Good luck with your migration ! 🙂

UPDATE:
I tried the restore procedure from the MS Guide and it worked fine in my lab. But i have not tried this in a live environment… if i do i will update this article.

Also remeber to “Reenroll all Certificate holders” on the Templates , especially the computer certificate. (When you move a CA the CRL location will also change and holders of certificates from the OldCA cant find the CRL, because they dont ask AD where the CA is, they only use information from the issued certificate.