Forum Discussion
Migrate root CA from 2019 to 2022
HI,
I have a question regarding migrating a root CA.
Currently the CA root server is installed on a windows 2019 DC with the following roles installed:
Certification Authority
Certificate Enrollment Policy Server
Certificate Enrollment Web Service
Certification Authority Web Enrollment
I should migrate these services to a new DC with Windows 2022.
For the migration of the Certification Authority service there are no problems as there are many guides on the internet.
However, I would like to understand how to migrate the other 3 services.
Can anyone help me?
Thank you
Greetings
If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to Migrating roles and features in Windows Server | Microsoft Learn which lead you to Active Directory Certificate Services Migration Guide for Windows Server 2012 R2 | Microsoft Learn. Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.
These links are the latest I found (I know some of them reference 2012 instead of 2022):
Certification Authority Web Enrollment Role Service in Windows Server | Microsoft Learn
Certificate Enrollment Web Services in Active Directory Certificate Services | Microsoft Learn
Certificate Enrollment Policy Web Service Guidance | Microsoft Learn
2 Replies
If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to Migrating roles and features in Windows Server | Microsoft Learn which lead you to Active Directory Certificate Services Migration Guide for Windows Server 2012 R2 | Microsoft Learn. Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.
These links are the latest I found (I know some of them reference 2012 instead of 2022):
Certification Authority Web Enrollment Role Service in Windows Server | Microsoft Learn
Certificate Enrollment Web Services in Active Directory Certificate Services | Microsoft Learn
Certificate Enrollment Policy Web Service Guidance | Microsoft Learn
