Active Directory Certificate Services - 2012 R2 needs to be moved to 2019

Question

Hello,

We currently have a 2 tier PKI system (offline root with an enterprise issuing CA) issuing certificates for our organisation. We heavily use computer certificates for DirectAccess, secure LDAP and other services.

Our current CAs are running Windows 2012 R2. I'd like to move certificate services away from 2012 R2 and use Windows 2022. I've read some posts about migrating AD Certificate Services (ADCS) from older to newer operating systems, however I don't think I need to do this as I'd like to run 2 ADCS instances side by side (old and new) whilst I transfer the certificate templates and issuing from the old CA to the new. I have a few questions:

1. Are there any issues with running 2 instances of ADCS in the same AD?
2. Given we use autoenrolled computer certificates, can I just update my group policies to use the new CA?

My plan is to deploy the new CA using something similar to the post below. Then to disable the old certificate templates and enable the new ones (so that certs can only be issued from 2022).

https://www.informaticar.net/implementing-two-tier-pki-on-windows-server-2022-part-1/

Is there much of an advantage (other than saving a bit of configuration time) with doing a migration using the backup and restore settings for ADCS?
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Thanks

Answer 1

Hi @TechUser2020-6505

1. Are there any issues with running 2 instances of ADCS in the same AD?
   No it's possible as mentioned in the following link AD CS (PKI) – Multiple PKI on a same forest?
2. Given we use autoenrolled computer certificates, can I just update my group policies to use the new CA?
   Nothing to do on GPO settings.
   For the switch,You should configure all existing templates to be published by new CA and remove it from old one before uninstall old CA.
   I invite you to read this article talking about how you can deploy two CA in same forest :

AD CS (PKI) – Multiple PKI on a same forest?

1. Is there much of an advantage (other than saving a bit of configuration time) with doing a migration using the backup and restore settings for ADCS?
   https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

I think the advantage of choosing to keep the same CA name is:

->Keep the same IP and use the same flows that are already open between CA and the clients.

->Keep the old certificates already issued by the old CA Another old certificate

---

Please don't forget to accept helpful answer

Answer 2

Hello TechUser2020-6505,

Thank you for posting in Q&A forum.

1.Are there any issues with running 2 instances of ADCS in the same AD?
A: No, you can deploy more than one PKI structure in one domain or forest.

2.Given we use autoenrolled computer certificates, can I just update my group policies to use the new CA?

A: For certificate autoenrollment, you should set GPO and set permissions autoenrollment on certificate template, if you have already configured GPO for the computer, you only need to set permissions autoenrollment on certificate template security tab.

Is there much of an advantage (other than saving a bit of configuration time) with doing a migration using the backup and restore settings for ADCS?
A: You can also keep the same configuration (such as CA name and the AIA and CDP information) if you need. Certificates are issued by the same CA name.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou