Active Directory Certificate Services Migration Guide
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
About this guide
This document provides guidance for migrating a certification authority (CA) to a server that is running Windows Server® 2008 R2 from a server that is running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008. You can also migrate a CA from a server running Windows Server 2008 or Windows Server 2008 R2 to a server that is running Windows Server® 2012 using these directions.
Target audience
Administrators or IT operations engineers responsible for planning and performing CA migration to Windows Server 2008 R2 or Windows Server 2012.
Administrators or IT operations engineers responsible for the day-to-day management and troubleshooting of networks, servers, client computers, operating systems, or applications.
IT operations managers accountable for network and server management.
IT architects responsible for computer management and security throughout an organization.
Supported migration scenarios
This guide provides you with instructions for migrating an existing server that is running Active Directory® Certificate Services (AD CS) to a server that is running Windows Server 2008 R2 or Windows Server 2012. This guide does not contain instructions for migration when the source server is running multiple roles. If your server is running multiple roles, you should design a custom migration procedure that is specific to your server environment, based on the information provided in other role migration guides. To view migration guides for additional roles, see Migrate Server Roles to Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkID=128554).
Note
This guide can be used to migrate a CA from a source server that is also a domain controller to a destination server with a different name. However, migration of a domain controller is not covered by this guide. For information about Active Directory Domain Services (AD DS) migration, see Active Directory Domain Services and DNS Server Migration Guide (https://go.microsoft.com/fwlink/?LinkId=179357).
Supported operating systems
This guide supports migrations from source servers running the operating system versions and service packs listed in the following table. All migrations described in this document assume that the destination server is running Windows Server 2008 R2 or Windows Server 2012 as specified in the following table.
Source server processor | Source server operating system | Destination server operating system | Destination server processor |
---|---|---|---|
x86-based or x64-based |
Windows Server 2003 with Service Pack 2 |
Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, or Server with a GUI only (not Server Core or Minimal Server Interface) |
x64-based |
x86-based or x64-based |
Windows Server 2003 R2 |
Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, Server with a GUI only (not Server Core or Minimal Server Interface) |
x64-based |
x86-based or x64-based |
Windows Server 2008 |
Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, Server with a GUI only (not Server Core or Minimal Server Interface) |
x64-based |
x64-based |
Windows Server 2008 R2 |
Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, Server with a GUI only (not Server Core or Minimal Server Interface) |
x64-based |
Note
In-place upgrades from Windows Server 2003 with Service Pack 2 or Windows Server 2003 R2 to Windows Server 2012 are not supported.
What this guide does not provide
Procedures to upgrade to Windows Server 2008 R2 or Windows Server 2012
Procedures to migrate additional server roles
Procedures to migrate additional AD CS role services
In general, migration is not required for the following AD CS role services. Instead, you can install and configure these role services on computers running Windows Server 2008 R2 or Windows Server 2012 by completing the role service installation procedures. For information about the impact of CA migration on other AD CS role services, see Impact of migration on other computers in the enterprise.
CA Web Enrollment (https://go.microsoft.com/fwlink/?LinkId=179360)
Online Responder (https://go.microsoft.com/fwlink/?LinkId=143098)
Network Device Enrollment (https://go.microsoft.com/fwlink/?LinkId=179362)
Certificate Enrollment Web Services (https://go.microsoft.com/fwlink/?LinkId=179363)
CA migration overview
Certification authority (CA) migration involves several procedures, which are overviewed in the sections.
Warning
During the migration procedure, you are asked to turn off your existing CA (either the computer or at least the CA service). You are asked to name the destination CA with the same name that you used for the original CA. The computer name, (hostname or NetBIOS name), does not have to match that of the original CA. However, the destination CA name must match that of the source CA. Further, the destination CA name must not be identical to the destination computer name.
Note
It is possible to install a new PKI hierarchy while still leveraging an existing PKI hierarchy. However, doing so requires designing a new PKI, and is not covered in this guide. For an informal overview of how a dual PKI could work for an organization, see the following Ask DS blog post: Moving Your Organization from a Single Microsoft CA to a Microsoft Recommended PKI.
Preparing to migrate
Migrating the certification authority
Verifying the migration
Post-migration tasks
Impact of migration
Impact of migration on the source server
The CA migration procedures described in this guide include decommissioning the source server after migration is completed and CA functionality on the destination server has been verified. If the source server is not decommissioned, then the source server and destination server must have different names. Additional steps are required to update the CA configuration on the destination server if the name of the destination server is different from the name of the source server.
Impact of migration on other computers in the enterprise
During migration, the CA cannot issue certificates or publish CRLs.
To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration.
Because the authority identification access and CRL distribution point extensions of previously issued certificates may reference the name of the source CA, it is important to either continue to publish CA certificates and CRLs to the same location or provide a redirection solution. For an example of configuring IIS redirection, see Redirecting Web Sites in IIS 6.0.
Permissions required to complete the migration
To install an enterprise CA or a standalone CA on a domain member computer, you must be a member of the Enterprise Admins group or Domain Admins group in the domain. To install a standalone CA on a server that is not a domain member, you must be a member of the local Administrators group. Removal of the CA role service from the source server has the same group membership requirements as installation.
Estimated duration
The simplest CA migration can typically be completed within one to two hours. The actual duration of CA migration depends on the number of CAs and the sizes of CA databases.