Solved

certificates PKI infrastructure migration high level steps

Posted on 2014-10-27
5
458 Views
Last Modified: 2014-10-29
Hello Experts,

I currently have two clients that are looking to migrate their PKI infrastructure to Windows 2012 R2 PKI

Client number one has a 3 tier PKI infrastructure[Offline root, 1 enterprise subordinate, 2 cert issues servers]. Windows 2003 is the OS in all servers, and domain/forest functional level is Windows 2003.

Client number two has a 3 tier PKI infrastructure[Offline root, 1 enterprise subordinate, 2 cert issues servers]. Windows 2008 is the OS in all servers, and domain/forest functional level is Windows 2008.

Can someone please provide high-level steps to migrate the entire infrastructure, considering the tier 3 and the OS on each client?

Can someone please provide a check list doc or spreadsheet to migrate PKI servers to latest OS?

Any blogs with tons of screenshots with all steps required by each phase?
0
Comment
Question by:Jerry Seinfield
  • 3
  • 2
5 Comments
 

Author Comment

by:Jerry Seinfield
ID: 40407492
Any updates?
0
 

Author Comment

by:Jerry Seinfield
ID: 40409520
Can someone please acknowledge this request?
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 40409663
We are doing migration, not consolidating.
your client are on the 3 tier PKI structure so this is the microsoft recommended solution.


it is on microsoft support migration path way (from 2003/2008 to 2012)

there are tons of information in the technet i quoted below that include all the checklist and steps for all the required activities.

Please have a read on this article and any subsequence articles.
http://technet.microsoft.com/en-au/library/dn486797.aspx


please let me know if you have any concern.
0
 

Author Comment

by:Jerry Seinfield
ID: 40410655
thanks, but can anyone please summarize high level steps and attach a spreadsheet for checklist?
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 40411939
this is the high level steps you need.
Unless you have hit with a rock, all the plan will looks very similar, until you hit with some issues.
then post another question so we can look into it. If not, i am currently at a planning session but without knowing the environment well.

we can wait for another few days to get other experts, they might have prepared one before, but usually my reference to technet is suffice.


Preparing to migrate
     Preparing your destination server
     Backing up your source server
     Preparing your source server

Migrating the certification authority
     Backing up a CA database and private key
     Backing up CA registry settings
     Backing up CAPolicy.inf
     Removing the CA role service from the source server
     Removing the source server from the domain
     Joining the destination server to the domain
     Adding the CA role service to the destination server
     Restoring the CA database and configuration on the destination server
     Granting permissions on AIA and CDP containers
    Additional procedures for failover clustering (optional)


Verifying the migration
    Verifying certificate enrollment
    Verifying CRL publishing
   
Post-migration tasks
    Upgrading certificate templates in Active Directory Domain Services (AD DS)
    Retrieving certificates after a host name change
    Restoring Active Directory Certificate Services (AD CS) to the source server in the event of migration failure
    Troubleshooting migration
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Want Win 10 Pro to search like Server 2010 or 2012 27 103
Monitoring solutions 8 69
GPO on certain users 17 33
Exchange 2013 windows CU or windows update first 3 12
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question