This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 9%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO2%3C/text%3E%3C/svg%3E)
Hi,
We currently have a 2012 AD domain with PKI on 2012 servers. We are looking at upgrading the AD domain to 2019, can we leave the PKI services on the existing 2012 servers or does this need to be migrated to 2019 servers the same as the new Domain
Im not sure if theres any compatibility issues between the both if they are on different OS
Thanks in advance!
Hi All!
Thank you for your answers and sharing your knowledge.
Regards
there is no dependency between OS on domain controllers and CA servers. One thing you should consider -- CA and DC roles should not be installed on same machine.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
You don't need to migrate PKI on 2012 to another OS , to be able to upgrade the domain controller to Windows 2019.
a Domain controller on windows 2019 support a member server on Windows server 2012.
Please don't forget to mark this reply as answer if it help you to fix your issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Based on my research, we don't need to migrate the CA from the member server to the 2019 DC when you upgrade the DCs.
Just keep the CA on the member server.
If you also want to upgrade the CA server , you can consider migrate it to a 2019 member server ,not necessary to a DC.
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
Best Regards,