Microsoft
MicrosoftGlad you are talking to this point but frankly there are many more details to the migration that is missing. These are all covered in the older, but still applicable and more detailed ADCS Migration Whitepaper. A couple of items of note in your process:
1) A very important step is missing from this and almost every migration doc that MICROSOFT has on this subject. You backup the CA while it is in production which means it could issue certificates after the backup and before you remove the role. I always recommend you note the templates that are installed on the CA, and then remove them from the CA. This prevents any further issuance. Now your backup will be accurate and no issued certificate details will be lost. After moving to the new platform, add back the appropriate templates.
2) In your backup of files you aren’t including the capolicy.inf file that may be in place and defining very important properties for your CA
3) When the CA is restored onto a new computer it had a new AD SID. As. Result the CA will not be able to publish its CRL to AD (if so configured) because the old CA computer object was the only one ACL’d to do that. So this object needs to be updated to allow the new computer object to publish the CRL.
