moving CA from Windows 2003 server to Windows 2012

I use a CA for 802.1x EAP TLS authentication.. I also used it to PEAP..  Can I just move my CA to a Windows 2012 server and then use NPS instead of IAS like I am now?  If so.. Someone just give me an overview of the process...
Who is Participating?
Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
you can either do a side-by-side migration (my favourite) or in-place upgrade.
Here's in-place upgrade: 

For the side by side - install new 2-tier PKI infrastructure - make sure root certificates are deployed to clients, happens automatically and that CRL and AIA is available. Create new Certificate Templates for NPS/IAS, User and Computer and enroll to test computer - test login - rememeber to delete old certificate from that computer to verify it is working.

When tested ok - enroll certificates through default domain policy, I'd advice to turn on roaming credentials to avoid users getting multiple certificates (in GPO)

after all is good - decomission old PKI

Jakob DigranesSenior ConsultantCommented:
what about IAS, you are also planning to move IAS to NPS, right?

For that you do need to register all your access points (Wi-Fi devices) with new NPS server as radius clients and also you need to point these acces points to new NPS server
Also you need to configure network policies and connection policies in order to your wi-fi users get authenticated before they get valid IP address from DHCP

If you want to move IAS from 2003 to 2008 r2, follow teps in below article:

If you have 2008 server, then you already have NPS, its not IAS, IAS ends with 2003
If you want to migrate IAS or NPS from 2003 \ 2008 \ 2008 R2 to 2012 R2, follow steps in below article
The article written for 2012, but will be applicable to 2012 R2 as well
Only IASMigreader.exe location is changed on window 2012 R2 server, you can search 2012 R2 at "C:\windows\winsxs\some folder" for that file

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

gopher_49Author Commented:
Jakob Digranes,

I have a DirectAccess server that is not in a DMZ.  It's on my LAN.  I just port forward to it..  Is it okay to install DPS and CA on this same server?  Or should my DPS/CA be on a dedicated server?  I would imagine that's a much easier config...
Jakob DigranesSenior ConsultantCommented:
I'd generally recommend separating roles, at least for CA services. I've billed many hours to customers collocating DC and PKIs
gopher_49Author Commented:
Can I install DPS on my DirecAccess server and then have my CA on a dedicated VM?  Currently my CA is on a DC.
Jakob DigranesSenior ConsultantCommented:
When you talk aboud DPS, do you mean policy server (NPS)?
You could have CA and DPS collocated - I'd never collocate Direct Access with anything.

How many users?
gopher_49Author Commented:
Yes.. Sorry...  I meant NPS.. So.. I can put CA and DPS on the same server.. Then I'll the freedom of putting DA in a DMZ one day...  Correct?
Jakob DigranesSenior ConsultantCommented:
yes :)
gopher_49Author Commented:

I'll start the install this week and will update you ASAP.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.