Migrating Active Directory Certificate Services (AD CS)...however, NPS is present on source..
Hi, I am in the process of migrating Active Directory Certificate Services (AD CS) from a physical aging Windows Server 2008 R2 system to a new virtual Windows Server 2019 system.
The process doesn't sound difficult as spelled out in these nicely done articles & videos.
Moving Certificate Services To Another Server – by PeteNetLive
https://www.petenetlive.com/KB/Article/0001473
Migrate Windows Certificate Services 2008 R2 to 2019 – by PeteNetLive
https://www.youtube.com/watch?v=6XjyBo9MNAk&feature=emb_logo
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019 – by Anthony Bartolo on Microsoft Tech Community
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-Certificate-Service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
Only a few gotchas/interesting facts to consider when migrating AD CS:
- As of now, you can migrate from Server 2008 R2 to Server 2019 (or 2012 / 2012 R2 / 2016).
- You cannot migrate from Server 2008 (non-R2) or older directly to Server 2019 or Server 2016. (You must first migrate to Server 2012 then migrate from Server 2012 to Server 2016 or Server 2019).
- Don’t forget to backup the CertSvc registry from the source AD CS server (2008 R2) along with the CA backup.
- Don’t forget to modify the CertSvc registry backup CAServerName from source server name (hostname) to destination (new) AD CS server name (hostname).
So, my concern isn't the AD CS migration process itself, my concern is that my current source (Windows Server 2008 R2) AD CS also has Network Policy Server (NPS) present.
Correct me if I am wrong, but I believe AD CS isn't dependent on NPS, but NPS is dependent on AD CS?
We were using NPS for our old Cisco wireless network (RADIUS) authentication.
However, we've moved to Meraki wireless networks over a year ago and I believe this (NPS) is no longer necessary.
With that all being said, can I just focus on migrating AD CS from my source system to the new system with NPS present on the source system?
Or should I consider uninstalling NPS on the source system prior to migrating the AD CS?
Or do I include NPS as part of the AD CS migration?
Thanks in advance.
The process doesn't sound difficult as spelled out in these nicely done articles & videos.
Moving Certificate Services To Another Server – by PeteNetLive
https://www.petenetlive.com/KB/Article/0001473
Migrate Windows Certificate Services 2008 R2 to 2019 – by PeteNetLive
https://www.youtube.com/watch?v=6XjyBo9MNAk&feature=emb_logo
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019 – by Anthony Bartolo on Microsoft Tech Community
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-Certificate-Service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
Only a few gotchas/interesting facts to consider when migrating AD CS:
- As of now, you can migrate from Server 2008 R2 to Server 2019 (or 2012 / 2012 R2 / 2016).
- You cannot migrate from Server 2008 (non-R2) or older directly to Server 2019 or Server 2016. (You must first migrate to Server 2012 then migrate from Server 2012 to Server 2016 or Server 2019).
- Don’t forget to backup the CertSvc registry from the source AD CS server (2008 R2) along with the CA backup.
- Don’t forget to modify the CertSvc registry backup CAServerName from source server name (hostname) to destination (new) AD CS server name (hostname).
So, my concern isn't the AD CS migration process itself, my concern is that my current source (Windows Server 2008 R2) AD CS also has Network Policy Server (NPS) present.
Correct me if I am wrong, but I believe AD CS isn't dependent on NPS, but NPS is dependent on AD CS?
We were using NPS for our old Cisco wireless network (RADIUS) authentication.
However, we've moved to Meraki wireless networks over a year ago and I believe this (NPS) is no longer necessary.
With that all being said, can I just focus on migrating AD CS from my source system to the new system with NPS present on the source system?
Or should I consider uninstalling NPS on the source system prior to migrating the AD CS?
Or do I include NPS as part of the AD CS migration?
Thanks in advance.
Since you are going virtual machine route, reconsider/redesign your design to avoid future similar issues.
Consider:
Create a non joined VM to function as the root cert server that is mostly offline
Then have one or two DCs that will have the issuing ca roles signed and renewed by the Offline root CA...and ...
When is the certificate your 2008 is issuing expires?
Do you go through autoenrollment?
You will need to remove the CA role from 2008 before it can be decomissioned.
Consider:
Create a non joined VM to function as the root cert server that is mostly offline
Then have one or two DCs that will have the issuing ca roles signed and renewed by the Offline root CA...and ...
When is the certificate your 2008 is issuing expires?
Do you go through autoenrollment?
You will need to remove the CA role from 2008 before it can be decomissioned.
ASKER
Could you provide some further details to this redesign path?
I am very interesting in setting things up as best practice/practical.
At the moment, our AD CS doesn't seem to auto enroll, but DC's and a few other key systems.
However, it could just not be setup correctly or setup completely.
Anything you can provide is greatly, greatly appreciated.
Have a great day.
I am very interesting in setting things up as best practice/practical.
At the moment, our AD CS doesn't seem to auto enroll, but DC's and a few other key systems.
However, it could just not be setup correctly or setup completely.
Anything you can provide is greatly, greatly appreciated.
Have a great day.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No, unfortunately, I no longer have a test environment. I need to rebuild a test environment, but I have several physical servers to decom before I can repurpose that hardware for my test environment.
Thanks for the info.
Thanks for the info.
ASKER
So, it should be a standalone from AD CS server role, correct?
If that is the case then I could just uninstall it prior or after migrating the AD CS from Windows Server 2008 R2 to Windows Server 2019 and be fine, correct?
Thanks in advance.