Forum Discussion
Migrate root CA from 2019 to 2022
HI,
I have a question regarding migrating a root CA.
Currently the CA root server is installed on a windows 2019 DC with the following roles installed:
Certification Authority
Certificate Enrollment Policy Server
Certificate Enrollment Web Service
Certification Authority Web Enrollment
I should migrate these services to a new DC with Windows 2022.
For the migration of the Certification Authority service there are no problems as there are many guides on the internet.
However, I would like to understand how to migrate the other 3 services.
Can anyone help me?
Thank you
Greetings
If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features which lead you to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.
These links are the latest I found (I know some of them reference 2012 instead of 2022):
https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-authority-web-enrollment
https://learn.microsoft.com/en-us/archive/technet-wiki/7734.certificate-enrollment-web-services-in-active-directory-certificate-services
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11)
2 Replies
If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features which lead you to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.
These links are the latest I found (I know some of them reference 2012 instead of 2022):
https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-authority-web-enrollment
https://learn.microsoft.com/en-us/archive/technet-wiki/7734.certificate-enrollment-web-services-in-active-directory-certificate-services
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11)
