Forum Discussion

pazzoide76's avatar
pazzoide76
Iron Contributor
Mar 15, 2024
Solved

Migrate root CA from 2019 to 2022

HI,
I have a question regarding migrating a root CA.
Currently the CA root server is installed on a windows 2019 DC with the following roles installed:


Certification Authority
Certificate Enrollment Policy Server
Certificate Enrollment Web Service
Certification Authority Web Enrollment


I should migrate these services to a new DC with Windows 2022.
For the migration of the Certification Authority service there are no problems as there are many guides on the internet.
However, I would like to understand how to migrate the other 3 services.
Can anyone help me?

 

 

Thank you

 

Greetings

  • pazzoide76 

    If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features which lead you to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.

     

    These links are the latest I found (I know some of them reference 2012 instead of 2022):

     

    https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-authority-web-enrollment

    https://learn.microsoft.com/en-us/archive/technet-wiki/7734.certificate-enrollment-web-services-in-active-directory-certificate-services

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11) 

     

2 Replies

  • DavidLundell's avatar
    DavidLundell
    Brass Contributor

    pazzoide76 

    If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features which lead you to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.

     

    These links are the latest I found (I know some of them reference 2012 instead of 2022):

     

    https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-authority-web-enrollment

    https://learn.microsoft.com/en-us/archive/technet-wiki/7734.certificate-enrollment-web-services-in-active-directory-certificate-services

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11) 

     

Resources