RasmusJohnsen I am the Feature PM at Microsoft for ADCS and I need to point out some issues in your replies:
- When migrating from 2008R2 to 2016 or 2019 the interim step of going to 2012R2 first is not required. That interim step is only required if you're starting with 2008 or earlier.
- Your comment about removing all but the 4 entries from the registry backup is also not required.
- Your reply regarding using certutil to add custom templates after a migration is a workaround and not a real solution. Occasionally, during a migration a couple of things may happen that prevent you from being able to publish custom templates with the GUI. One solution is to use ADSIEdit and navigate to CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services. Right click the CA in the right pane that you want to enroll from and click properties. Find the flags attribute; and verify that it is set to 10. If it isn’t set to 10, then set it to 10 using ADSIedit.msc and allow for Active Directory replication to complete. The second thing to try is to run certutil -setreg ca\setupstatus +512 on the CA.
Hope these clarifications help you folks.
Microsoft