We help IT Professionals succeed at work.

How to upgrade ADCS servers (root and issuing CAs) and move them to a new domain meantime keeping custom templates?

28 Views
Last Modified: 2020-10-14
If our current Active Directory Certificate Services PKI infrastructure is based on Windows 2008 R2 and is in our old domain, what is the best way to upgrade the OS and move ADCS (including existing templates) to our newly built 2016 domain functional level AD domain, which is an Azure hybrid. (for O365 only however)   Any tutorials or gotchas to share?

Thanks!

T
Comment
Watch Question

A lack of information provides a lack of a decent solution.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Peter HutchisonSenior Network Systems Specialist
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:

You can go directly to 2016, hell you can go directly to 2019 if you really wanted which is exactly what you could do


"Tae Tae" NguyenInfrastructure Consultant

Author

Commented:
Thanks guys.  I was under the impression that no 2008 or 2008 R2 box can be directly upgraded to 2016 without first going through 2012.  

Peter, if I go through these steps on our old ADCS, can I then import/restore everything on newly built 2016 boxes in the new domain?   Do all old domain certificates get revoked?

a) Backup ADCS database, files, registry and private keys on old server.
b) Remove ADCS role from old server.
c) Install ADCS role on new server.
d) Restore ADCS database, files, registry and private keys on new server
Peter HutchisonSenior Network Systems Specialist
CERTIFIED EXPERT

Commented:
We have migrated our CA server through at least 4 different versions of Windows server and works best where you don't skip versions.

I don't believe certificates get revoked, but if the server name changes, then the CRL (cert revokation list) checks will no longer work, and trust may be broken. In that situation, it would be advisable to renew all the user/computer certificates. If the server name is kept, then it will carry on as normal.
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:

It makes zero difference what version of windows you go to, you can jump from 2008r2 straight to 2019.


Seth SimmonsLead Systems Administrator
CERTIFIED EXPERT
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- 'Alex' (https:#a43028026)
-- 'Peter Hutchison' (https:#a43028030)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.