ADCS: Migrate Windows Server 2008 R2 CA to a New Server 2012/r2 or 2016
http://www.yshvili.com/wp-content/uploads/2017/12/223-1024x297.jpg
Steps
PowerShell
Run a Powershell command window as administrator with required privileges
net stop certsvc and press Enter
CA Registry Settings
Open PowerShell command prompt we opened in the previous instructions, type
reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration “c:\CAbackup\CAregsettings.reg”
Press ENTER
Certificate Templates
Open PowerShell command prompt, type
certutil.exe –catemplates > “c:\CAbackup\catemplates.txt”replacing “c:\CAbackup\catemplates.txt”
with the correct path and file name for your backup folder
Press Enter
CAPolicy.inf File
If your CA was configured using a CAPolicy.inf file, make sure that you copy this file from the %SystemRoot% directory and the new location on the new server %SystemRoot% directory
Remove the Active Directory Certificate Services Role and Server from the Domain
right-click the PowerShell icon on the desktop taskbar and select Run as Administrator from the context menu
Type Remove WindowsFeature Adcs-Cert-Authority and press Enter
Install and Configure the AD CS Role New server
Open PowerShell console, type Add-WindowsFeature ADCS-Cert-Authority –IncludeManagementTools and press Enter
http://www.yshvili.com/wp-content/uploads/2017/12/ca11.jpg
AD CS role has installed, type Install-AdcsCertificationAuthority –CAType EnterpriseRootCA -CertFile “C:\CAbackup\Yshvili-DC-CA.p12” -CertFilePassword (read-host “yshvili\administrator” -assecurestring) and press Enter Type the password for the file when prompted then confirm that you want to configure the CA
Restore the CA Database and Registry Settings
Restore the CA Registry Settings
Right-click the PowerShell icon on the desktop taskbar and select Run as Administrator
Now type reg import “c:\CAbackup\CAregsettings.reg” and press Enter
Restore the CA Templates
Right-click the PowerShell icon on the desktop taskbar and select Run as Administrator from the context menu.
In the command prompt type certutil -setcatemplates +DirectoryEmailReplication and press Enter
Reboot server.