PKI on 2012 servers with 2019 Domain controllers

ogo-2020 21 Reputation points
2020-11-21T05:28:52.533+00:00

Hi,

We currently have a 2012 AD domain with PKI on 2012 servers. We are looking at upgrading the AD domain to 2019, can we leave the PKI services on the existing 2012 servers or does this need to be migrated to 2019 servers the same as the new Domain

Im not sure if theres any compatibility issues between the both if they are on different OS

Thanks in advance!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,808 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,714 questions
{count} votes

Accepted answer
  1. Vadims Podāns 8,866 Reputation points MVP
    2020-11-21T08:50:19.323+00:00

    there is no dependency between OS on domain controllers and CA servers. One thing you should consider -- CA and DC roles should not be installed on same machine.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,496 Reputation points
    2020-11-21T13:01:17.393+00:00

    Hi,

    You don't need to migrate PKI on 2012 to another OS , to be able to upgrade the domain controller to Windows 2019.

    a Domain controller on windows 2019 support a member server on Windows server 2012.

    Please don't forget to mark this reply as answer if it help you to fix your issue

    1 person found this answer helpful.
    0 comments No comments

  2. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-11-23T02:50:47.537+00:00

    Hi,
    Based on my research, we don't need to migrate the CA from the member server to the 2019 DC when you upgrade the DCs.
    Just keep the CA on the member server.
    If you also want to upgrade the CA server , you can consider migrate it to a 2019 member server ,not necessary to a DC.
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

    Best Regards,

    1 person found this answer helpful.
    0 comments No comments