Move from DC 2012R2 to 2022 and move CA role

Andreas 926 Reputation points
2021-10-28T19:09:15.487+00:00

Hi,

Environment
2 Hyper-V hosts - Windows Server 2012 R2 Datacenter (will be migrated to new 2022 hyper-v hosts)
2 domain controllers – Windows Server 2012 R2 Datacenter
25 VMs - Windows Server 2012 R2 Datacenter
1 VM – Windows Server 2008 R2
2 VMs – Windows Server 2012 R2 Standard
Forrest Level = Windows Server 2012 R2
Domain Level = Windows Server 2012 R2

DC1: Have the DC role, DNS, NPS, and CA (Don’t blame me that the CA role is there :)
DC2: Have the DC role and DNS

Challenge: Upgrade the domain controllers to Windows Server Datacenter 2022, but what to do about the CA ? Would like to reuse the IP address for both DC1 and DC2…

What we are thinking…. We would like to create 2 new VMs with Windows Server 2022 Datacenter and configure these as domain controllers (Do we need to change domain/forest level before implementing av 2022 domain controller?)

  1. Create DC3 VM with Windows Server 2022 Datacenter and add this to the domain
  2. Install AD+DNS and promte this DC. Leave it for a couple of days to verify that everything is replicating ok. Use repadmin and dcdiag to check.
  3. Move over the FSMO roles to DC3
  4. Decommission DC1. Now the DC role is gone, I am not sure about what to do with the CA role since we would like to reuse the IP on the new DC3. The CA should also be upgraded to Windows Server 2022, so should we create a new VM here and migrate the role, is that possible ? What is recommended ? What step would you do / recommend ?
  5. Step XXX

For information the CA is publishing user and machine certificates only used for Wifi access....

Thanks for any answers

/R
Andy

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
{count} votes

Accepted answer
  1. Vadims Podāns 8,081 Reputation points Microsoft MVP
    2021-10-30T12:36:20.19+00:00

    many things can go wrong I guess.

    without prior experience and background in PKI -- most likely.

    What about configure a new certificate system instead, and deploy user and machine certificates

    it is an option since your environment is not large. Setup a brand new CA, distribute new root CA certificate to all non-domain devices (it will be automatically propagated to domain users and computers) and start certificate replacement. though, before installing new CA, I would recommend to read my blog post on designing CDP/AIA extensions since they are root causes of CA migration complications. Properly designed and implemented CDP/AIA extensions make migration much easier. Here is the link: https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx

    After installing new CA (you will have to keep both CAs side-by-side until all certificates are replaced), add same templates for issuance as shown in Certificate Templates folder (certsrv.msc) on old CA. Then clear all templates from old CA. This will ensure that old CA won't issue any new certificate and all certificates will be issued only by new CA.

    After all certificates are replaced with certs from new CA, you can decommission old CA: https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx. Don't skip this process.

    Not sure if they are also using it for VPN, is there a easy way to check this without talking to the network/ASA guys ?

    in CA management console (certsrv.msc) go to Issued Certificates folder and filter time-valid certificates (which are not yet expired) using View->Filter menu command. Analyze all certificates, this may give you clues where and the purpose certificates are issued for.

    its because we have some static configuration here and there

    it is the result of poorly designed network and operations. In my networks I rarely refer to IP addresses. Instead, I register every IP-capable device (PCs, servers, network devices, etc.) in DNS and refer to these devices by name only. This gives me a freedom in IP addressing and I can switch to another IP almost without interruptions.

    No comments

2 additional answers

Sort by: Most helpful
  1. Vadims Podāns 8,081 Reputation points Microsoft MVP
    2021-10-29T07:35:59.477+00:00

    CA with default installation settings migration is a bit complicated process since there are a lot of references to host name and require good knowledge of MS CA and PKI. There is official ADCS migration guide: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11) and you will have to carefully go through this guide in order to successfully migrate CA.

    Would like to reuse the IP address for both DC1 and DC2…

    is there any particular reason? In the case if there are many non-domain computers (including network devices) with static IP configuration (not using DHCP), I'm doing it this way:

    • reserve two (or more if needed) IP addresses in subnet solely for DNS purposes.
    • add them to DCs that hold DNS role as additional IP addresses.
    • configure these reserved DNS addresses on all devices with static IP configuration

    Next time you add/replace DCs, you don't have to retain old IP address for them. Pick any available address for new controller and simply add that reserved IP address and everyone will be able to use new DNS server without any reconfiguration immediately.

    Such trick eliminates the requirement to use same IP for DNS. Changing IP for DC isn't a problem at all.

    No comments

  2. Andreas 926 Reputation points
    2021-10-29T11:58:17.923+00:00

    Hi,

    Thanks for reply @Vadims Podāns

    That was a complicated guide yes, many things can go wrong I guess.
    What about configure a new certificate system instead, and deploy user and machine certificates. Its not a big environment, and they are just using it for access to Wifi. Not sure if they are also using it for VPN, is there a easy way to check this without talking to the network/ASA guys ?

    When it comes to reuse the IP of domain controllers, its because we have some static configuration here and there... nice trick about the reserve thing, will take that with me. How about reuse the hostname, guess that will be a problem since its a CA role on the same server...

    /R
    Andy

    No comments