Migrating your 2-tier architecture Active Directory Certificate Services (ADCS) from Windows Server 2012 R2 to Windows Server 2019 can be a complex process, but here is a high-level guide to help you get started:
Prerequisites:
A Windows Server 2019 machine with the necessary resources (CPU, RAM, and Disk Space) to accommodate the ADCS role and features. A backup of the existing ADCS infrastructure including the Certificate Authority (CA) private key, the CA database, and any existing certificates. A clean installation of Windows Server 2019 with the latest updates. Step-by-Step Guide:
Verify that the domain functional level of your Active Directory Domain is at least Windows Server 2012 R2. Install the ADCS role on the Windows Server 2019 machine. Copy the backup files from the previous ADCS infrastructure to the new Windows Server 2019 machine. This includes the CA private key, the CA database, and any existing certificates. Install the same Certificate Authority role on the Windows Server 2019 machine as on the previous server. Restore the CA database and private key from the backup. Verify that the Certificate Authority is functional by issuing test certificates. Configure the new Windows Server 2019 ADCS infrastructure to use the same Certificate Revocation List (CRL) distribution points and Authority Information Access (AIA) URLs as the previous infrastructure. Configure the new Windows Server 2019 ADCS infrastructure to use the same Certificate Templates as the previous infrastructure. Update the CRL and AIA distribution points for each certificate template. Verify that the new ADCS infrastructure is functioning correctly by issuing test certificates and verifying the CRL and AIA distribution points. This is a high-level guide, and there may be additional steps required depending on your specific environment and needs. It is recommended to review Microsoft documentation and best practices before proceeding with the migration.