Forum Discussion

pazzoide76's avatar
pazzoide76
Iron Contributor
Mar 15, 2024
Solved

Migrate root CA from 2019 to 2022

HI, I have a question regarding migrating a root CA. Currently the CA root server is installed on a windows 2019 DC with the following roles installed: Certification Authority Certificate Enrol...
Windows Server
  • DavidLundell's avatar
    DavidLundell
    Mar 15, 2024

    pazzoide76 

    If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features which lead you to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.

     

    These links are the latest I found (I know some of them reference 2012 instead of 2022):

     

    https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-authority-web-enrollment

    https://learn.microsoft.com/en-us/archive/technet-wiki/7734.certificate-enrollment-web-services-in-active-directory-certificate-services

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11) 

     

DavidLundell's avatar
DavidLundell
Brass Contributor
Mar 15, 2024

pazzoide76 

If at all possible, I recommend separating roles. I really don't like having a Certificate Authority or any other role on a Domain Controller. Furthermore, to keep your PKI (CA's etc.) you should have a two tier PKI an offline root CA. For guides I presume you went to https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features which lead you to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) Which doesn't cover the other services. The important data is kept inside the CA database. So that is the only service that requires a true migration, the other services can just be setup again and point to the migrated CA. There are settings to migrate but no real data.

 

These links are the latest I found (I know some of them reference 2012 instead of 2022):

 

https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-authority-web-enrollment

https://learn.microsoft.com/en-us/archive/technet-wiki/7734.certificate-enrollment-web-services-in-active-directory-certificate-services

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11) 

 

Resources