Blog Post

ITOps Talk Blog
6 MIN READ

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

AnthonyBartolo's avatar
AnthonyBartolo
Icon for Microsoft rankMicrosoft
Dec 27, 2018

Support for both Windows Server 2003 and 2003 R2 ended on July 14th, 2015, and yet there are still several organizations operating their businesses on it. There are still a vast number of IT professionals in midst of planning migration. This guide, originally shared by Microsoft MVP Dishan Francis, will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.

 

 

 

This demonstration will use the following setup.

 

Server Name

Operating System

Server Roles

canitpro-casrv.canitpro.local

Windows Server 2003 R2 Enterprise x86

AD CS (Enterprise Certificate Authority)

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

-

 

 

Step 1: Backup Windows Server 2003 certificate authority database and its configuration
 

  1. Log in to Windows 2003 Server as member of local administrator group
     
  2. Go to Start > Administrative Tools > Certificate Authority
     
  3. Right Click on Server Node > All Tasks > Backup CA

     
  4. This will open the Certification Authority Backup Wizard. Click Next to continue.

     
  5. In next window click on check boxes to select options as highlighted and click on Browse to provide the backup file path location where it will save the backup file. Then click on Next to continue.

     
  6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue
     
  7. In next window it will provide the confirmation and click on Finish to complete the process

 

Step 2: Backup CA Registry Settings
 

  1. Click Start > Run and then type regedit and click Ok

     
  2. Expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
     
  3. Right click on Configuration key and click on Export

     
  4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup.

     
  5. Now we have the backup of the CA and move these files to the new windows 2012 R2 server. 

     

Step 3: Uninstall CA Service from Windows Server 2003
 

Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
 

  1. Click on Start > Control Panel > Add or Remove Programs

     
  2. Next click on Add/Remove Windows Components

     
  3. In next window remove the tick in Certificate Services and click on Next to continue.

     
  4. Click on Finish once the process is completed.

     

With Certificate Authority Services now removed from Windows Server 2003, the next step is to configure Windows Server 2012 CA services.
 

Step 4: Install Windows Server 2012 R2 Certificate Services
 

  1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
     
  2. Go to Server Manager > Add roles and features

     
  3. This will open the Add roles and features wizard. Click next to continue.
     
  4. Then next window, select Role-based or Feature-based installation and click next to continue.
     
  5. From the server selections keep the default selection and click on next to continue.
     
  6. In next window click on tick box to select the Active Directory Certificate Services role and a notification will pop up acknowledging the required features need to be added. Click on add features to add them.

     
  7. Next, in features section, we will let it run with default. Click next to continue.
     
  8. In next window, a brief description about AD CS is provided. Review and click next to continue.
     
  9. Next you are given the option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click Next to continue.

     
  10. Since Certification Authority Web Enrollment is selected, it will require IIS. So next window it will give brief description about IIS. Review and click next.
     
  11. The next window gives an option to add IIS role services. Leave it as default and click next to continue.
     
  12. The final window will give confirmation about the services to be installed. Review and click on Install to start the installation.

     
  13. Close the wizard once installation is complete.
     

Step 5: Configure AD CS
 

In this step, we will investigate the configuration and restoring backup we created previously.
 

  1. Log in to server as Enterprise Administrator
     
  2. Go to Server Manager > AD CS

     
  3. The panel on the right will show message as highlighted in yellow. Click on More.

     
  4. A window will open, and you will need to click on Configure Active Directory Certificate Service ……

     
  5. This will open role the configuration wizard which gives an option to change the credential. As we are already logged in as Enterprise administrator, we can leave the default and click next to continue.

     
  6. The next window will ask which service you like to configure. Select both Certification Authority and Certification Authority Web Enrollment and click next to continue.

     
  7. Next will be Enterprise CA requirement. In next window select Enterprise CA as the setup type and click next to continue.

     

  8. In the next window, select Root CA as the CA type and click next to continue.

     
  9. The next option is especially important. If this were a new installation, we would only need to create new private key. But since it’s a migration process, we already have a backup of the private key. So, select the options as highlighted in screenshot. Then click on Next to continue

     
  10. In next window click on Import.

     
  11. Next you are given the option to select the key we backed up during the backup process from the Windows 2003 server. Browse and select the key from the backup we made, provide the password we used for protection and then click OK.

     
  12. With the key successfully imported, in next window select the imported certificate and click Next to continue.

     
  13. In the next window, we can define certificate database path. In here I will leave it default and click next to continue.

     
  14. The next window it will provide the configuration confirmation. Review and click on Configure to proceed with the process.

     
  15. Once completed, click on Close to exit from the configuration wizard.
     

Step 6: Restore CA Backup
 

Now it’s comes to the most important part of the process which is to restore the CA backup made from Windows Server 2003.
 

  1. Go To Server Manager > Tools > Certification Authority

     
  2. Next right click on server node > All Tasks > Restore CA

     
  3. Then it will ask if it’s okay to stop the certificate service to proceed. Click OK.

     
  4. This will open the Certification Authority Restore Wizard.  Click next to continue.
     
  5. In the next window, browse the folder where we stored the backup and select it. Then select the options as highlighted in the screenshot below. Click Next to continue.

     
  6. The next window gives an option to enter the password we used to protect private key during the backup process. Once it is entered, click Next to continue.

     
  7. In next window click Finish to complete the import process.
     
  8. Once the import process is completed, the system will ask if it’s okay to start the certificate service again. At this point start the service to bring it back online.
     

Step 7: Restore Registry info
 

During the CA backup process, we also backed up the registry key and it is now time to restore it.
 

  1. Open the folder which contains the backup reg key and double click on the key.
     
  2. Click Yes to proceed with restoring the registry key.

     
  3. Once completed, details regarding the successful restore will be displayed. 

     

Step 8: Reissue Certificate Templates
 

With the migration process now completed, it’s now time to reissue the certificates. I had template setup in Windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
 

  1. Open the Certification Authority Snap-in.
     
  2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue

     
  3. From the certificate templates list click on the appropriate certificate template and click OK.

Step 9: Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup a Windows PC called demo1 and added it to the canitpro.local domain. Once it’s loaded for the first time on the server, open the Certification Authority Snap-in, expand the Issued Certificate section and you can clearly see the new certificate it issued for the PC.
 

 
This confirms the migration is successful and completes the migration process.

 

Below is also an informative video detailing other considerations when migrating from Windows Server 2003.

 

Updated Jul 09, 2021
Version 13.0
anthony bartolo
Windows Server

19 Comments

Show More
  • Chase Roth's avatar
    Chase Roth
    Copper Contributor
    May 26, 2019

    AnthonyBartolo , EddPr I agree, 2008 R2 to 2019 with Offline root CA and Online Issuing CA (subordinate) and I have a separate web IIS for CRL usage.  Is this available yet?  Almost a month since you mentioned you were working on it.  Hoping it is done and you can post a link.  

  • EddPr's avatar
    EddPr
    Copper Contributor
    May 23, 2019

    Hi AnthonyBartolo 

     

    I am looking to migrate from 2008 R2 to 2019 in the next few weeks - do you have an ETA on the steps needed?

     

    Also, do you have any information on additional steps (if any) you have to do should you have an offline root CA along with the enterprise subordinate one(s)?

     

    Finally, I am trying to get it clear in my head how I ensure the old issues certificate remain valid when the CRL expires or is the answer you need to reissue them all prior to the CRL expiring?

     

    Thanks for your help

    Edd

  • AnthonyBartolo's avatar
    AnthonyBartolo
    Icon for Microsoft rankMicrosoft
    Apr 29, 2019

    Hi Andrej_Vizvary. Our team is working on steps to migrate from 2008 R2 to 2019.  No ETA on its completion yet but I will share its publish date when it becomes available.

  • Jon Bonner's avatar
    Jon Bonner
    Copper Contributor
    Dec 28, 2018

    Does it matter if the new server has a different name than the old one?

  • wroot's avatar
    wroot
    Silver Contributor
    Dec 27, 2018

    I'm not surprised. On my previous job we only got rid of a last 2003 VM a year ago. It wasn't very critical though. But when i was leaving there were ~15 2008/R2 VM servers with some critical services running (although inside a LAN). I think many of them will stay on 2008 for at least a few years because of lack of IT staff, knowledge, compatibility issues and lack of budget for new licenses and hosting. And i can't imagine how they are going to move '6 servers heavily modificated SharePoint 2010 farm' anywhere. It's not that these problems are new in IT field. We have dealt with migrations from older systems in the past, but as IT becomes more complicated every day sometimes it just feels unbearable. Well, there should be a clear strategy and good planning to overcome such things. But that's another topic :)

  • AnthonyBartolo's avatar
    AnthonyBartolo
    Icon for Microsoft rankMicrosoft
    Dec 27, 2018

    wroot agreed however you'd be surprised the amount of organizations (financial, government, transportation, education, etc) that are still based on Windows Server 2003 looking to modernize. This post is a repost from our former site, CANITPRO.NET, and is still of great interest to those organizations who can only modernize at a snail's pace due to regulations or other factors.

     

    Happy to write about any challenges you are currently facing in future. Just let the team know what topics you'd like to see covered.

  • wroot's avatar
    wroot
    Silver Contributor
    Dec 27, 2018

    There is probably more use of a guide migrating from 2008 (or R2) to newer versions like 2016/2019 as 2008 should be widely in use as it is still in support for a year.