![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
151 questions
Hello Donte_Cates,
Thank you for posting in Microsoft Community forum.
Is your PKI one online Enterprise root CA? If so, we suggest you migrate ADCS from 2012 R2 to 2019 instead of performing in-place upgrade the OS version from Windows server 2012 R2 to Windows server 2019.
Considerations for migrating a CA to a new machine:
- When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must keep the same.
- By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.
- During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.
The migrate steps from 2012 R2 to 2019 are similar as from 2008 R2 to 2019 (or from 2003 to 2012 R2)
For more information, please refer to links below.
Performing the Upgrade or Migration | Microsoft Learn
AD CS Migration: Migrating the Certification Authority | Microsoft Learn
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou