Migrating AD CS to an older version of Windows

Tommy Az 20 Reputation points
2023-11-24T11:43:09.1233333+00:00

Is it possible to migrate an Enterprise CA from a Windows Server 2016 to e.g. a Windows Server 2012 R2?

Been trying to do this but starting the CA service on the older Windows fails with "Version of log file is not compatible with Jet version 0x0 (WIN32: 0)".

Apparently the ESE/Jet DB engine on 2012 R2 cannot read the newer DB format?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,230 questions
0 comments No comments
{count} votes

Accepted answer
  1. チャブーン 786 Reputation points MVP
    2023-11-24T12:26:36.5033333+00:00

    Hi, Tommy Az

    This is Chaboon.

    I don't think there is a way to migrate the AD CS database to an previous version.

    There is no description of the migration path from lator to previous in the article below.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)#supported-operating-systems

    I strongly recommend that you upgrade your AD CS destination server to Windows Server 2016.

    Otherwise, you will need to migrate only the AD CS root certificate. In that case, all issued certificates would have to be destroyed and reissued.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Daisy Zhou 21,201 Reputation points Microsoft Vendor
    2023-11-27T07:08:47.6733333+00:00

    Hello Tommy Az,

    Thank you for posting in Q&A forum.

    We cannot migrate AD Certificate Services from Windows Server 2008 to Windows Server 2016, because the JET database engine changed so much between the two versions that if we restore the backup we get a JET version error at startup and the CA won't start. So we cannot migrate ADCS from Windows Server 2016 to Windows Server 2008.

    If you cannot migrate AD CS from 2016 to 2012 R2 in your lab or in your production environment, maybe it is.

    https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx

    We all migrate AD CS from lower version to higher version, but why did you want to Migrate AD CS to an older version from higher version?

    Check if you select SHA1 (or SHA256) during migration on both lower version and higher version.

    Check if you select CSP (or KSP) during migration on both lower version and higher version.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)?redirectedfrom=MSDN

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments No comments