In-place upgrade of 2012 R2 Certification Authority to 2016 R2

We have an Enterprise CA, with the Sub CA running on Windows server 2012 R2 VM, configured with Web Enrollment, Web Enrollment Services, Policy Web Service etc all on the same server. The Root CA is also a Windows server 2012 R2 VM and is offline.

We have both Kerberos Authentication certificates deployed for LDAPS and a number of Domain Admins utilizing Smart Card certificates for domain logons.

Since we're planning to do an in-place upgrade, what do you recommend that first gets upgraded, the Root CA or the Sub CA? Also, any things I should take care of pre upgrade and post upgrade, taking into consideration the criticality of both LDAPS and Smartcard services? Apart from taking a snapshot backup in case something goes wrong and I would need to restore the snapshot accordingly.

Thanks in advance :)
Robert MuscatAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1st Backup subordinate CA database along with private key
Uninstall CA role from server and shutdown the server - computer account remains in AD

Then backup root CA along with private key
Uninstall root CA
Create new 2016 server in workgroup with same hostname as earlier and restore Root CA from backup

Then install new 2016 member server with same name as earlier and restore subordinate CA from backup

You can get steps from TechNet articles - check both articles carefully

The both article didn't mention about 2016 server, but I believe the procedure would remains same.
Else you could wait until Microsoft publish official documentation for 2016 server

Robert MuscatAuthor Commented:
Hi Mahesh,

Thanks for the feedback provided. In our case it was decided that an in-place upgrade is to take place. I believe the above steps, excluding the backup part, are more intended for a migration scenario.

Thanks and regards
Sorry I did not see, the question is asking for in place upgrade

No MS official documentation is available for CA server in place upgrade
But most of the time it seamless and as of now I have not seen / heard any issues

U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment

Also in that case there is no order of sequence you need to follow
U can do root 1st and subordinate 2nd OR vice versa


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Answers are given appropriate, Author didn't respond
Hence trying to close
Robert MuscatAuthor Commented:
Thanks Mahesh
Robert MuscatAuthor Commented:
U just need to ensure that you would take CA backup before you go for upgrade, so by chance if upgrade fails, you still can follow approach as suggested in my 1st comment

Since the OS is a VM, can't I take a snapshot before and restore it if issues are encountered?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.