Migrate CA server 2008 to 2019 without uninstall existing CA services

Chong 866 Reputation points
2021-06-07T03:40:47.323+00:00

Hi Support,

We need to migrate 2-tier enterprise CA server OS from 2008 to 2019 in our AD. After some research, all of the migration method is:

  1. Backup the existing CA DB and registry
  2. Uninstall existing CA services
  3. Restore CA DB and registry to new server

However, we only can shutdown the existing CA but cannot remove the CA from the AD (for failback if the new CA server not work).
If we need to keep the same CA server name (not hostname), how can we migrate the CA to new server? Do we still can use backup and restore to migrate CA services?

  1. Backup the existing CA DB and registry
  2. Shutdown the existing CA server
  3. Restore CA DB and registry to a new server

Thanks
Chong

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,923 questions
{count} votes

Accepted answer
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2021-06-07T07:38:15.233+00:00

    Hello @Chong ,

    Thank you for posting here.

    From the link below, we can see why we should uninstall AD CS from source CA before we install AD CS on destination CA:

    Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

    The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

    Warning
    Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.

    For more information, we can read the link below.
    Migrating the Certification Authority
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)

    Other considerations for migrating a CA to a new machine:

    1.When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

    2.By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

    3.During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.

    4.We can migrate CA directly from server 2008R2 to 2016 /2019. However, if you attempt to migrate 2008 CA (non R2) to 2016/2019, you may need to migrate CA to server 2012 R2 first, then to 2016/2019.

    For more information, please read the links below.
    Migrating AD Certificate Services from Windows Server 2008 to Windows Server 2016
    https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx

    https://www.petenetlive.com/KB/Article/0001473

    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo

    5.Each of the above small steps contains a lot of operations.
    It is recommended that you set up a similar CA environment in the test environment, and perform migration operations in the test environment, and then record all these steps in a document, and write down the key points and precautions.
    If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.

    For more information about CA migration, we can refer to links below.
    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

    AD CS Migration: Migrating the Certification Authority
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

    Performing the Upgrade or Migration
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Chong 866 Reputation points
    2021-06-07T09:47:20.203+00:00

    Hi @Daisy Zhou ,

    Thanks for the information.
    But the link you provide seems is remove already.

    Migrating the Certification Authority
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)

    And I just tried to not remove the CA role in old subordinate server and shutdown it (didn't disable CA services). Then restore the CA to new server, it request a cert from root CA. But the root CA failed to issue the cert. Do this relate to didn't disable CA services?

    102937-subordinate.jpg

    Best Regards
    Chong


  2. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2021-06-09T07:11:02.24+00:00

    Hello @Chong ,

    I am so glad to receive your reply.

    Here are the answers for your references.

    Q: You said: "After you restore the CA to new server, it should not request a cert from root CA."
    Why cannot request a cert from root CA? This is subordinate CA and it should renew the cert from root CA when the cert expire (may be not renew now, but it should renew in the future).
    A: What I mean the usual CA migration does not include requesting a cert from root CA, but if you need, you can request a cert from root CA.

    Q: And if I enable the auto key archive in the old CA server, after restore to new server, do we need to take any action on new server? All setting/KRA will applied in new server also?
    A: Based on my understanding, all setting/KRA will applied in new server also.

    AD CS key archival can be performed either manually or automatically. Manual key archival requires users to export private keys and send them to a CA Administrator who imports them to the protected CA database. Automatic key archival is performed during the certificate enrollment process when a certificate template is configured to require key archival. During the certificate enrollment process, the private key is securely sent to the CA as part of the certificate request and is archived by the CA.

    References.
    Configure Automatic Key Archiving in Certificate services| key recovery agent
    https://w7cloud.com/configure-automatic-key-archiving-in-certificate-services-key-recovery-agent/

    Active Directory Certificate Services: PKI - Key Archival and Management
    https://social.technet.microsoft.com/wiki/contents/articles/7573.active-directory-certificate-services-pki-key-archival-and-management.aspx

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  3. Chong 866 Reputation points
    2021-06-11T09:46:23.577+00:00

    Hi @Daisy Zhou ,

    Thanks for your information.

    Back for the original question, if we need to remove CA role in old server before install a new CA server, then any failback plan for the CA migration?

    Best Regards
    Chong


  4. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2021-06-15T06:46:44.16+00:00

    Hello @Chong ,

    Thank you for your reply.

    Q: BTW, if the CA is a active/passive cluster, We need to remove CA services on both node at the same time? or can do it one by one?
    A: I am sorry, I do not know cluster. Do you mean you have two CA servers and install AD CS on both servers? But you migrate one CA server to another new server?

    If so, if you have two CA servers:

    CA server1: CA name1
    CA server2: CA name2

    If you migrate CA server1, you can remove CA service on CA server1.
    Or if you migrate CA server2, you can remove CA service on CA server2.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.