While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.
In-place upgrade of 2012 R2 Certification Authority to 2016 R2
We have an Enterprise CA, with the Sub CA running on Windows server 2012 R2 VM, configured with Web Enrollment, Web Enrollment Services, Policy Web Service etc all on the same server. The Root CA is also a Windows server 2012 R2 VM and is offline.
We have both Kerberos Authentication certificates deployed for LDAPS and a number of Domain Admins utilizing Smart Card certificates for domain logons.
Since we're planning to do an in-place upgrade, what do you recommend that first gets upgraded, the Root CA or the Sub CA? Also, any things I should take care of pre upgrade and post upgrade, taking into consideration the criticality of both LDAPS and Smartcard services? Apart from taking a snapshot backup in case something goes wrong and I would need to restore the snapshot accordingly.
Thanks in advance :)
We have both Kerberos Authentication certificates deployed for LDAPS and a number of Domain Admins utilizing Smart Card certificates for domain logons.
Since we're planning to do an in-place upgrade, what do you recommend that first gets upgraded, the Root CA or the Sub CA? Also, any things I should take care of pre upgrade and post upgrade, taking into consideration the criticality of both LDAPS and Smartcard services? Apart from taking a snapshot backup in case something goes wrong and I would need to restore the snapshot accordingly.
Thanks in advance :)
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Hi Mahesh,
Thanks for the feedback provided. In our case it was decided that an in-place upgrade is to take place. I believe the above steps, excluding the backup part, are more intended for a migration scenario.
Thanks and regards
Thanks for the feedback provided. In our case it was decided that an in-place upgrade is to take place. I believe the above steps, excluding the backup part, are more intended for a migration scenario.
Thanks and regards
Sorry I did not see, the question is asking for in place upgrade
No MS official documentation is available for CA server in place upgrade
But most of the time it seamless and as of now I have not seen / heard any issues
U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment
Also in that case there is no order of sequence you need to follow
U can do root 1st and subordinate 2nd OR vice versa
Mahesh.
No MS official documentation is available for CA server in place upgrade
But most of the time it seamless and as of now I have not seen / heard any issues
U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment
Also in that case there is no order of sequence you need to follow
U can do root 1st and subordinate 2nd OR vice versa
Mahesh.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment
Since the OS is a VM, can't I take a snapshot before and restore it if issues are encountered?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012
From novice to tech pro — start learning today.
-
Windows Server 2012Certification: MCSA MCSE Microsoft Certified Solutions Associate & … 303 lessons
-
Windows Server 2012Certification: MCSA MCSE Microsoft Certified Solutions Associate & … 435 lessons
-
Windows Server 2012Certification: MCSA MCSE Microsoft Certified Solutions Associate & … 388 lessons
-
Windows Server 2012Certification: MCSA MCSE Microsoft Certified Solutions Associate & … 450 lessons
-
Microsoft ApplicationsCertification: MCSE Microsoft Certified Systems Engineer - Identity … 440 lessons
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Installatio… 312 lessons
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Networki… 282 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
Uninstall CA role from server and shutdown the server - computer account remains in AD
Then backup root CA along with private key
Uninstall root CA
Create new 2016 server in workgroup with same hostname as earlier and restore Root CA from backup
Then install new 2016 member server with same name as earlier and restore subordinate CA from backup
You can get steps from TechNet articles - check both articles carefully
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dn486797(v=ws.11).aspx
The both article didn't mention about 2016 server, but I believe the procedure would remains same.
Else you could wait until Microsoft publish official documentation for 2016 server
Mahesh.