Blog Post

ITOps Talk Blog
4 MIN READ

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019

AnthonyBartolo's avatar
AnthonyBartolo
Icon for Microsoft rankMicrosoft
Jun 18, 2019
End of support for Windows Server 2008 R2 has been slated by Microsoft for January 14th 2020.  Said announcement increased interest in a previous post detailing steps on Active Directory Certificate ...
Updated Jul 09, 2021
Version 9.0
Anthony Bartolo
Windows Server
scooter133's avatar
scooter133
Copper Contributor
Mar 11, 2020

@Paul_Adare 

Thank you for stepping in here...  Like many others I have a 2008R2 CA and am looking to go to a 2019 Server. 

Current CA is working, though I installed it back in 2006 to Support SCEP for Cisco VPN, which is no longer used. 

 

Though Since I have installed the CA, the Domain PCs, Servers, DCs and some users have been issued Certificates from the 2008R2 CA. I'm not Specifically using them for anything. The CA was installed on an Old DC and we have not demoted the DC it because of the CA.    I'm fine with a Completely new 2019 Server with a new CA. The old CA and old CA Host name are the same and I would love to change them Both. 

 

I was thinking of:

  • Setup a new 2019, set it as the default new Enterprise CA,
  • Add Old CA's public cert to the new Enterprise CA Trusted List of CAs.
  • Configure the new Enterprise CA with CRL,
  • Reconfigure GPO to submit Requests to the new Enterprise CA.
  • Renew certs against new Enterprise CA
  • Wait for old Certs to Expire/Force Machines/Users to renew.
  • Remove old 2008R2 CA Server