"Tae Tae" Nguyen
asked on
How to upgrade ADCS servers (root and issuing CAs) and move them to a new domain meantime keeping custom templates?
If our current Active Directory Certificate Services PKI infrastructure is based on Windows 2008 R2 and is in our old domain, what is the best way to upgrade the OS and move ADCS (including existing templates) to our newly built 2016 domain functional level AD domain, which is an Azure hybrid. (for O365 only however) Any tutorials or gotchas to share?
Thanks!
T
Thanks!
T
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks guys. I was under the impression that no 2008 or 2008 R2 box can be directly upgraded to 2016 without first going through 2012.
Peter, if I go through these steps on our old ADCS, can I then import/restore everything on newly built 2016 boxes in the new domain? Do all old domain certificates get revoked?
a) Backup ADCS database, files, registry and private keys on old server.
b) Remove ADCS role from old server.
c) Install ADCS role on new server.
d) Restore ADCS database, files, registry and private keys on new server
Peter, if I go through these steps on our old ADCS, can I then import/restore everything on newly built 2016 boxes in the new domain? Do all old domain certificates get revoked?
a) Backup ADCS database, files, registry and private keys on old server.
b) Remove ADCS role from old server.
c) Install ADCS role on new server.
d) Restore ADCS database, files, registry and private keys on new server
We have migrated our CA server through at least 4 different versions of Windows server and works best where you don't skip versions.
I don't believe certificates get revoked, but if the server name changes, then the CRL (cert revokation list) checks will no longer work, and trust may be broken. In that situation, it would be advisable to renew all the user/computer certificates. If the server name is kept, then it will carry on as normal.
I don't believe certificates get revoked, but if the server name changes, then the CRL (cert revokation list) checks will no longer work, and trust may be broken. In that situation, it would be advisable to renew all the user/computer certificates. If the server name is kept, then it will carry on as normal.
It makes zero difference what version of windows you go to, you can jump from 2008r2 straight to 2019.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- 'Alex' (https:#a43028026)
-- 'Peter Hutchison' (https:#a43028030)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- 'Alex' (https:#a43028026)
-- 'Peter Hutchison' (https:#a43028030)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
You can go directly to 2016, hell you can go directly to 2019 if you really wanted which is exactly what you could do