Home / server / Questions / 1092600
In Process
jrd1989
Asked: 2022-02-04 12:21:44 +0800 CST

How to Properly Migrate Active Directory Certificate Services

  • 772

I have Active Directory Certificate Services installed on a Windows 2016 domain controller. We plan on spinning up Windows 2019 instances to replace our 2016 domain controllers. We have one DC with ADCS services installed, specifically it has the certificate authority role and is set as an Enterprise CA (not stand-alone).

What is the best process for migrating the AD CS services to this new 2019 server and decommissioning the 2016 server hosting AD CS? According to this article it seems like a simple backup, add ADCS role/features and restore somr data but maybe I'm oversimplifying things - https://4sysops.com/archives/migrate-ad-certificate-services-to-a-new-server/.

My concern is what happens to the certificates we've already signed with the existing CA server and that are actively in use? Will they continue to function and/or stay valid if the CA is down, albeit temporarily? The name assigned to the CA is separate from the host name of the server currently hosting AD CS so the 2019 server having a different host name assigned shouldn't be an issue, correct?

If anybody has gone through this before or has some useful suggestions/tips I would greatly appreciate it!

migration domain-controller certificate certificate-authority windows-server-2016

1 Answers

  1. > the 2019 server having a different host name assigned shouldn't be an issue, correct?

    Unfortunately it's not correct at all.
    Moving a Certification Authority to a new server with the same name is a quite straightforward process, but it gets a lot more difficult if the new server has a different name.

    Also, hosting a Certification Authority on a Domain Controller is definitely not recommended, last but not least because you can't promote, demote or rename a server which is hosting a CA; you really should take this opportunity to separate the two roles on two different servers.

    How to do this the proper way:

    • Install a new server with a new name and join it to the domain.
    • Promote the new server to Domain Controller; make sure to install DNS and to make it a Global Catalog.
    • Perform a CA backup of your Certification Authority, including the root certificate.
    • Remove AD CS from the old server.
    • Move all FSMO roles to the new server.
    • Configure both servers and all domain member computers to use the new server as their primary DNS (or swap the two servers' IP addresses).
    • Demote the old server.
    • Remove the old server form the domain (or, if you need to keep it around for a while, rename it in order to free up its name).
    • Install an additional new server with the same name as the old one; join it to the domain.
    • Install AD CS on the new server using the existing root certificate and the same CA settings.
    • Restore the CA backup on the new server.

    Of course, there are several additional details; but this is the full outline of the process.

    Oh, and don't forget to add another Domain Controller. You really should not have only one of them.

    Re-reading your question, it's not really clear how many Domain Controllers you have; if you already have more than one of them, this will make things a bit easier. But you'll still have to recycle the server name, and you can't demote or rename a server as long as it's hosting a CA; thus:

    • Perform CA backup
    • Remove AD CS
    • Demote server
    • Remove (or rename) server
    • Add new server with same name
    • Install AD CS
    • Restore CA backup
    • 1