In-place upgrade of 2012 R2 Certification Authority to 2016 R2

Robert Muscat
Robert Muscat used Ask the Experts™
on
We have an Enterprise CA, with the Sub CA running on Windows server 2012 R2 VM, configured with Web Enrollment, Web Enrollment Services, Policy Web Service etc all on the same server. The Root CA is also a Windows server 2012 R2 VM and is offline.

We have both Kerberos Authentication certificates deployed for LDAPS and a number of Domain Admins utilizing Smart Card certificates for domain logons.

Since we're planning to do an in-place upgrade, what do you recommend that first gets upgraded, the Root CA or the Sub CA? Also, any things I should take care of pre upgrade and post upgrade, taking into consideration the criticality of both LDAPS and Smartcard services? Apart from taking a snapshot backup in case something goes wrong and I would need to restore the snapshot accordingly.

Thanks in advance :)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018
Commented:
1st Backup subordinate CA database along with private key
Uninstall CA role from server and shutdown the server - computer account remains in AD

Then backup root CA along with private key
Uninstall root CA
Create new 2016 server in workgroup with same hostname as earlier and restore Root CA from backup

Then install new 2016 member server with same name as earlier and restore subordinate CA from backup

You can get steps from TechNet articles - check both articles carefully
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dn486797(v=ws.11).aspx

The both article didn't mention about 2016 server, but I believe the procedure would remains same.
Else you could wait until Microsoft publish official documentation for 2016 server

Mahesh.

Author

Commented:
Hi Mahesh,

Thanks for the feedback provided. In our case it was decided that an in-place upgrade is to take place. I believe the above steps, excluding the backup part, are more intended for a migration scenario.

Thanks and regards
Architect
Distinguished Expert 2018
Commented:
Sorry I did not see, the question is asking for in place upgrade

No MS official documentation is available for CA server in place upgrade
But most of the time it seamless and as of now I have not seen / heard any issues

U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment

Also in that case there is no order of sequence you need to follow
U can do root 1st and subordinate 2nd OR vice versa

Mahesh.
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

MaheshArchitect
Distinguished Expert 2018

Commented:
Answers are given appropriate, Author didn't respond
Hence trying to close

Author

Commented:
Thanks Mahesh

Author

Commented:
U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment

Since the OS is a VM, can't I take a snapshot before and restore it if issues are encountered?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial