Migrating Certificate services from 2008 to 2019
So I inherited 2 CA servers, one is root that remains powered off and another that handles issuing. They are both 2008r2. So just hoping to clarify my steps to see if i'm missing anything.
Build two new 2019 servers
power on root, backup ca and keys and registry
backup ca, keys and reg on issuing ca
remove roles from both and rename/ip
add 2 new servers to AD with both same names/ip as old servers
install CA roll on both
restore backups/reg
am I missing anything?
Build two new 2019 servers
power on root, backup ca and keys and registry
backup ca, keys and reg on issuing ca
remove roles from both and rename/ip
add 2 new servers to AD with both same names/ip as old servers
install CA roll on both
restore backups/reg
am I missing anything?
Adam Brown
You're missing the fact that 2008R2 ADCS can't migrate directly to 2019. You have to hop to 2012R2 first, and configure the CA to use SHA256 instead of SHA1 (because 2019 doesn't have SHA1 as an option). https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx explains the process.
ASKER
hmm..the guide I'm trying use doesn't say that:
https://argonsys.com/microsoft-cloud/library/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2008-r2-to-2019/
https://argonsys.com/microsoft-cloud/library/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2008-r2-to-2019/
I'd go with the article from Microsoft instead of the one from a random IT company blog.
ASKER
funny the exact article is on microsoft as well. But the issue is raised in the comments and finally someone from microsoft chimed in :
Never had to migrate a CA so this is crazy all the info that goes into it.. Thanks for chiming in. Def. made me look deeper. So it appears Since we are running R2 we should be ok to go direct to 2019. So I just need to follow the steps in the article I posted it appears then? Any other gotchas I should be on look out for?
Paul_Adare
Paul_Adare Microsoft
12-12-2019 09:24 AM
@RasmusJohnsen I am the Feature PM at Microsoft for ADCS and I need to point out some issues in your replies:
When migrating from 2008R2 to 2016 or 2019 the interim step of going to 2012R2 first is not required. That interim step is only required if you're starting with 2008 or earlier.
Your comment about removing all but the 4 entries from the registry backup is also not required.
Your reply regarding using certutil to add custom templates after a migration is a workaround and not a real solution. Occasionally, during a migration a couple of things may happen that prevent you from being able to publish custom templates with the GUI. One solution is to use ADSIEdit and navigate to CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services. Right click the CA in the right pane that you want to enroll from and click properties. Find the flags attribute; and verify that it is set to 10. If it isn’t set to 10, then set it to 10 using ADSIedit.msc and allow for Active Directory replication to complete. The second thing to try is to run certutil -setreg ca\setupstatus +512 on the CA.
Never had to migrate a CA so this is crazy all the info that goes into it.. Thanks for chiming in. Def. made me look deeper. So it appears Since we are running R2 we should be ok to go direct to 2019. So I just need to follow the steps in the article I posted it appears then? Any other gotchas I should be on look out for?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.