Avatar of "Tae Tae" Nguyen
"Tae Tae" Nguyen
 asked on

How to upgrade ADCS servers (root and issuing CAs) and move them to a new domain meantime keeping custom templates?

If our current Active Directory Certificate Services PKI infrastructure is based on Windows 2008 R2 and is in our old domain, what is the best way to upgrade the OS and move ADCS (including existing templates) to our newly built 2016 domain functional level AD domain, which is an Azure hybrid. (for O365 only however)   Any tutorials or gotchas to share?

Thanks!

T
* active directory certificate serviceWindows OSWindows Server 2008Active Directory

Avatar of undefined
Last Comment
Seth Simmons

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Alex

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Peter Hutchison

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Alex

You can go directly to 2016, hell you can go directly to 2019 if you really wanted which is exactly what you could do


"Tae Tae" Nguyen

ASKER
Thanks guys.  I was under the impression that no 2008 or 2008 R2 box can be directly upgraded to 2016 without first going through 2012.  

Peter, if I go through these steps on our old ADCS, can I then import/restore everything on newly built 2016 boxes in the new domain?   Do all old domain certificates get revoked?

a) Backup ADCS database, files, registry and private keys on old server.
b) Remove ADCS role from old server.
c) Install ADCS role on new server.
d) Restore ADCS database, files, registry and private keys on new server
Peter Hutchison

We have migrated our CA server through at least 4 different versions of Windows server and works best where you don't skip versions.

I don't believe certificates get revoked, but if the server name changes, then the CRL (cert revokation list) checks will no longer work, and trust may be broken. In that situation, it would be advisable to renew all the user/computer certificates. If the server name is kept, then it will carry on as normal.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Alex

It makes zero difference what version of windows you go to, you can jump from 2008r2 straight to 2019.


Seth Simmons

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- 'Alex' (https:#a43028026)
-- 'Peter Hutchison' (https:#a43028030)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer