This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 88%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Environment
2 Hyper-V hosts - Windows Server 2012 R2 Datacenter (will be migrated to new 2022 hyper-v hosts)
2 domain controllers – Windows Server 2012 R2 Datacenter
25 VMs - Windows Server 2012 R2 Datacenter
1 VM – Windows Server 2008 R2
2 VMs – Windows Server 2012 R2 Standard
Forrest Level = Windows Server 2012 R2
Domain Level = Windows Server 2012 R2
DC1: Have the DC role, DNS, NPS, and CA (Don’t blame me that the CA role is there :)
DC2: Have the DC role and DNS
Challenge: Upgrade the domain controllers to Windows Server Datacenter 2022, but what to do about the CA ? Would like to reuse the IP address for both DC1 and DC2…
What we are thinking…. We would like to create 2 new VMs with Windows Server 2022 Datacenter and configure these as domain controllers (Do we need to change domain/forest level before implementing av 2022 domain controller?)
For information the CA is publishing user and machine certificates only used for Wifi access....
Thanks for any answers
/R
Andy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 13%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Did this work for you @Andreas ? We have a similar build. Similar(ish) environment - needing to migrate to 2022 from 2012r2, curious if you ran export/import to the new environment and how you actually transitioned all the VM's successfully?
many things can go wrong I guess.
without prior experience and background in PKI -- most likely.
What about configure a new certificate system instead, and deploy user and machine certificates
it is an option since your environment is not large. Setup a brand new CA, distribute new root CA certificate to all non-domain devices (it will be automatically propagated to domain users and computers) and start certificate replacement. though, before installing new CA, I would recommend to read my blog post on designing CDP/AIA extensions since they are root causes of CA migration complications. Properly designed and implemented CDP/AIA extensions make migration much easier. Here is the link: https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx
After installing new CA (you will have to keep both CAs side-by-side until all certificates are replaced), add same templates for issuance as shown in Certificate Templates folder (certsrv.msc) on old CA. Then clear all templates from old CA. This will ensure that old CA won't issue any new certificate and all certificates will be issued only by new CA.
After all certificates are replaced with certs from new CA, you can decommission old CA: https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx. Don't skip this process.
Not sure if they are also using it for VPN, is there a easy way to check this without talking to the network/ASA guys ?
in CA management console (certsrv.msc) go to Issued Certificates folder and filter time-valid certificates (which are not yet expired) using View->Filter menu command. Analyze all certificates, this may give you clues where and the purpose certificates are issued for.
its because we have some static configuration here and there
it is the result of poorly designed network and operations. In my networks I rarely refer to IP addresses. Instead, I register every IP-capable device (PCs, servers, network devices, etc.) in DNS and refer to these devices by name only. This gives me a freedom in IP addressing and I can switch to another IP almost without interruptions.
CA with default installation settings migration is a bit complicated process since there are a lot of references to host name and require good knowledge of MS CA and PKI. There is official ADCS migration guide: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11) and you will have to carefully go through this guide in order to successfully migrate CA.
Would like to reuse the IP address for both DC1 and DC2…
is there any particular reason? In the case if there are many non-domain computers (including network devices) with static IP configuration (not using DHCP), I'm doing it this way:
Next time you add/replace DCs, you don't have to retain old IP address for them. Pick any available address for new controller and simply add that reserved IP address and everyone will be able to use new DNS server without any reconfiguration immediately.
Such trick eliminates the requirement to use same IP for DNS. Changing IP for DC isn't a problem at all.
Hi,
Thanks for reply @Vadims Podāns
That was a complicated guide yes, many things can go wrong I guess.
What about configure a new certificate system instead, and deploy user and machine certificates. Its not a big environment, and they are just using it for access to Wifi. Not sure if they are also using it for VPN, is there a easy way to check this without talking to the network/ASA guys ?
When it comes to reuse the IP of domain controllers, its because we have some static configuration here and there... nice trick about the reserve thing, will take that with me. How about reuse the hostname, guess that will be a problem since its a CA role on the same server...
/R
Andy