Home
%3CLINGO-SUB%20id%3D%22lingo-sub-698955%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698955%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Anthony%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat!%3C%2FP%3E%3CP%3EThanks%20for%20the%20information%20and%20article.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699938%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699938%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20it%20matter%20if%20new%20server%20and%20old%20server%20have%20different%20names%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700730%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700730%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362264%22%20target%3D%22_blank%22%3E%40bradfore44%3C%2FA%3E%26nbsp%3B-%20Yes%20in%20this%20scenario%20the%20old%20server%20and%20new%20server%20would%20need%20to%20have%20the%20same%20name.%26nbsp%3B%20I%20am%20currently%20working%20on%20writing%20another%20post%20that%20will%20address%20the%20need%20to%20have%20servers%20with%20different%20names.%26nbsp%3B%20Stay%20tuned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700754%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700754%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3Bplease%20update%20the%20comments%20here%20when%20the%20post%20dealing%20with%20different%20server%20names%20is%20ready.%20Also%2C%20if%20we%20have%20an%20offline%20root%2C%20is%20the%20process%20basically%20the%20same%2C%20we'd%20just%20choose%20the%20appropriate%20CA%20type%20for%20the%20root%20and%20the%20intermediate%20server%3F%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-701852%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701852%22%20slang%3D%22en-US%22%3EYou%20say%20that%20the%20servers%20have%20the%20same%20name%20but%20in%20the%20screenshots%2C%20don%E2%80%99t%20the%20servers%20have%20different%20names%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-697674%22%20slang%3D%22en-US%22%3EStep-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-697674%22%20slang%3D%22en-US%22%3E%3CP%3EEnd%20of%20support%20for%20Windows%20Server%202008%20R2%20has%20been%20slated%20by%20Microsoft%20for%20January%2014th%202020.%26nbsp%3B%20Said%20announcement%20increased%20interest%20in%20a%20%3CA%20title%3D%22Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202003%20to%202012%20R2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FStep-By-Step-Migrating-The-Active-Directory-Certificate-Service%2Fba-p%2F306931%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eprevious%20post%3C%2FA%3E%20detailing%20steps%20on%20Active%20Directory%20Certificate%20Service%20migration%20from%20server%20versions%20older%20than%202008%20R2.%26nbsp%3B%20Many%20subscribers%20of%20ITOpsTalk.com%20have%20reached%20out%20asking%20for%20an%20update%20of%20the%20steps%20to%20reflect%26nbsp%3BActive%20Directory%20Certificate%20Service%20migration%20from%202008%20R2%20to%202016%20%2F%202019%20and%20of%20course%20our%20team%20is%20happy%20to%20oblige.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EStep%201%3A%20Backup%20Windows%20Server%202008%20R2%20certificate%20authority%20database%20and%20its%20configuration%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ELog%20in%20to%20Windows%202008%20R2%20Server%20as%20member%20of%20local%20administrator%20group%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EGo%20to%20Start%20%26gt%3B%20Administrative%20Tools%20%26gt%3B%20Certificate%20Authority%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERight%20Click%20on%20Server%20Node%20%26gt%3B%20All%20Tasks%20%26gt%3B%20Backup%20CA%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119122i622409C7A6B82F7C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_001.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_001.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECertification%20Authority%20Backup%20CA%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%20on%20the%26nbsp%3BCertification%20Authority%20Backup%20Wizard%20screen%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20both%20check%20boxes%26nbsp%3Bto%20select%20both%20items%20to%20backup%20and%20provide%20the%20backup%20path%20for%20the%20file%20to%20be%20stored%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119126i0CEE134B3C05A271%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_002.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_002.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECertification%20Authority%20Backup%20Wizard%20Item%20Selection%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EProvide%20a%20password%20to%20protect%20private%20key%20and%20CA%20certificate%20file%20and%20click%20on%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Finish%20to%20complete%20the%20process%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%202%3A%20Backup%20CA%20Registry%20Settings%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EClick%20Start%20%26gt%3B%20Run%20%26gt%3B%20type%26nbsp%3Bregedit%26nbsp%3Band%20click%20OK%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EExpand%20the%20key%20in%20following%20path%3A%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CCertSvc%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3ERight%3CSPAN%3E%26nbsp%3Bclick%20on%20the%20Configuration%20key%20and%20click%20Export%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EP%3CSPAN%3Erovide%20a%20name%2C%20save%20the%20backup%20file%20and%20then%20click%20on%20save%20to%20complete%20the%20backup%3CBR%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119137iF7BED13ED81660E5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_003.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_003.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EBackup%20CA%20Registry%20Settings%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EBackup%20of%20the%20Certificates%20is%20now%20complete%20and%20the%20files%20can%20now%20be%20moved%20to%20the%20new%20Windows%202016%20%2F%202019%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119138iD018328073C80C64%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_004.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_004.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECA%20Backup%20complete%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EStep%203%3A%20Uninstall%20CA%20Service%20from%20Windows%20Server%202008%20R2%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20Server%20Manager%3C%2FLI%3E%0A%3CLI%3EClick%26nbsp%3BRemove%20Roles%26nbsp%3Bunder%26nbsp%3BRoles%20Summary%26nbsp%3Bto%20start%20the%20Remove%20Roles%20Wizard%2C%20and%20then%20click%26nbsp%3BNext%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119141i54FA12CF3E98C362%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_005.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_005.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EUninstalling%20a%20CA%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EClick%20to%20clear%20the%26nbsp%3BActive%20Directory%20Certificate%20Services%26nbsp%3Bcheck%20box%20and%20click%26nbsp%3BNext%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119144iE97EFE12019D4B2D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_006.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_006.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ERemoving%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EClick%20Remove%20on%20the%26nbsp%3BConfirm%20Removal%20Options%26nbsp%3Bpage%3C%2FLI%3E%0A%3CLI%3EIf%20Internet%20Information%20Services%20(IIS)%20is%20running%20and%20you%20are%20prompted%20to%20stop%20the%20service%20before%20you%20continue%20with%20the%20uninstall%20process%2C%20click%26nbsp%3BOK%3C%2FLI%3E%0A%3CLI%3EClick%20Close%3C%2FLI%3E%0A%3CLI%20class%3D%22%22%3ERestart%20the%20server%20to%20complete%20the%20uninstall%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EStep%204%3A%20Install%20Windows%20Server%202016%20%2F%202019%20Certificate%20Services%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3E*NOTE%3A%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3EThe%20new%202016%20%2F%202019%20server%20needs%20to%20have%20the%20same%20%22Name%22%20as%20this%20point.%26nbsp%3B%20The%20screenshots%20below%20show%20the%20server%20name%20as%20WS2019%20to%20highlight%20which%20server%20we%20are%20working%20on.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EThis%20step-by-step%20highlights%20screenshots%20from%20Windows%20Server%202019.%20Windows%20Server%202016%20process%20is%20the%20same%20with%20similar%20screenshots%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ELog%20in%20to%20Windows%20Server%202019%20as%20Domain%20Administrator%20or%20member%20of%20local%20administrator%20group%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20Server%20Manager%20%26gt%3B%20Add%20roles%20and%20features%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20on%20next%20to%20continue%20in%20the%26nbsp%3BAdd%20Roles%20and%20features%20Wizard%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20Role-based%20or%20Feature-based%20installation%20and%20click%20next%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EKeep%20the%20default%20selection%20from%20the%20server%20selections%20window%20and%20click%20next%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119150i96BA79BF0A61456F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_007.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_007.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWindows%20Server%202019%20Server%20Selections%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%26nbsp%3BActive%20Directory%20Certificate%20Services%2C%20click%20next%20in%20the%20pop%20up%20window%20to%26nbsp%3Backnowledge%20the%20required%20features%20that%20need%20to%20be%20added%2C%26nbsp%3Band%20click%20next%20to%20continue%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119151i29ABADD81900F042%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_008.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_008.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAdding%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%20in%20the%20Features%20section%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EReview%20the%20brief%20description%20about%20AD%20CS%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%26nbsp%3BCertificate%20Authority%20and%20Certification%20Authority%20Web%20Enrollment%2C%26nbsp%3Bclick%20next%20in%20the%20pop%20up%20window%20to%26nbsp%3Backnowledge%20the%20required%20features%20that%20need%20to%20be%20added%2C%20and%20click%20next%20to%20continue%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119155iCD8DFC40695F0CC5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_009.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_009.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWindows%20Server%202019%20Add%20Role%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EReview%20the%20brief%20description%20about%20IIS%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELeave%20the%20default%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Install%20to%20begin%20the%20installation%20process%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClose%20the%20wizard%20once%20it%20is%20complete%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%205%3A%20Configure%20AD%20CS%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20step%20will%20look%20in%20to%20configuration%20and%20restoring%20the%20backup%20created%20previously%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20Server%20Manager%20%26gt%3B%20AD%20CS%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20right%20hand%20panel%20it%20will%20show%20message%20as%20following%20screenshot%20and%20click%20on%20More%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119159i64FB7AFC9F4FCC89%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_010.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_010.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAD%20CS%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20on%20Configure%20Active%20Directory%20Certificate%20Service%20%E2%80%A6%E2%80%A6%20in%20the%20pop%20up%20window%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119163i8477F069D095B2E7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_011.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_011.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConfigure%20Active%20Directory%20Certificate%20Service%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20the%20Role%20Configuration%20wizard%2C%20ensure%20the%20proper%20credential%20for%20Enterprise%20Administrator%20is%20shown%20and%20click%20next%20to%20continue%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20Certification%20Authority%20and%20Certification%20Authority%20Web%20Enrollment%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEnsure%26nbsp%3BEnterprise%20CA%20is%20selected%20the%20setup%20type%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20Root%20CA%20as%20the%20CA%20type%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWith%20this%20being%20a%20migration%2C%20select%20Use%20existing%20private%20key%20and%20Select%20a%20certificate%20and%20use%20its%20associated%20private%20key%20and%20click%20next%20to%20continue%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119177i2008F3E13C0059D8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_012.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_012.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAD%20CS%20Configuration%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Import%20in%20the%20AD%20CS%20Configuration%26nbsp%3B%3C%2FSPAN%3Ewindow%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20the%20key%20backed%20up%20during%20the%20backup%20process%20from%20windows%202008%20R2%20server.%20Browse%20and%20select%20the%20key%20from%20the%20backup%20we%20made%20and%20provide%20the%20password%20we%20used%20for%20protection%20and%20click%20OK.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20678px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119179i0E712415D2EA20A1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_013.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_013.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImport%20Existing%20Certificate%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWith%20the%26nbsp%3Bkey%20successfully%20imported%20and%20select%20the%20imported%20certificate%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELeave%20the%20default%20certificate%20database%20path%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20on%20configure%20to%20proceed%20with%20the%20configuration%20process%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClose%20the%20configuration%20Wizard%20once%20complete%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%206%3A%20Restore%20CA%20Backup%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20Server%20Manager%20%26gt%3B%20Tools%20%26gt%3B%20Certification%26nbsp%3B%3C%2FSPAN%3EAuthority%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERight%20click%20on%20server%20node%20%26gt%3B%20All%20Tasks%20%26gt%3B%20Restore%20CA%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EA%20window%20will%20appear%20confirming%20the%20stop%20of%20Active%20Directory%20Certificate%20Services.%20Click%20OK%20to%20continue.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20782px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119181iEE730772F86C5E12%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_014.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_014.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConfirm%20stop%20of%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%20to%20start%20the%26nbsp%3BCertification%20Authority%20Restore%20Wizard%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20both%20check%20boxes%26nbsp%3Bto%20select%20both%20items%20to%20restore%20and%20provide%20the%20backup%20path%20for%20the%20file%20to%20be%20restored%20from%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119182i94861E0DB38EEB1A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_015.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_015.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECertification%20Authority%20Restore%20Wizard%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEnter%20the%20password%20used%20to%20protect%20private%20key%20during%20the%20backup%20process%20and%20click%20next%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Finish%20to%20complete%20the%20restore%20process%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Yes%20to%20restart%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%207%3A%20Restore%20Registry%20info%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20the%20folder%20with%20the%20backed%20up%20registry%20key%20and%20double%20click%20%26gt%3B%20Run%20to%20initialize%20the%20restore%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20yes%20to%20proceed%20with%20registry%20key%20restore%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20OK%20once%20confirmation%20about%20the%20restore%20is%20shared%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%208%3A%20Reissue%20Certificate%20Templates%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt%20is%20now%20time%20to%20reissue%20the%20certificate%20with%20the%20migration%20process%20now%26nbsp%3B%3C%2FSPAN%3Ecomplete.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EUnder%20Server%20Manager%2C%20navigate%20to%20Tools%20%26gt%3B%20Certification%20Authority%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERight%20click%20on%20Certificate%20Templates%20Folder%20%26gt%3B%20New%20%26gt%3B%20Certificate%20Template%20to%20Reissue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFrom%20the%20certificate%20templates%20list%20click%20on%20the%20appropriate%20certificate%20template%20and%20click%20OK%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20concludes%20the%26nbsp%3BActive%20Directory%20Certificate%20Service%20migration%20steps%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-697674%22%20slang%3D%22en-US%22%3E%3CP%3EEnd%20of%20support%20for%20Windows%20Server%202008%20R2%20has%20been%20slated%20by%20Microsoft%20for%20January%2014th%202020.%26nbsp%3B%20Said%20announcement%20increased%20interest%20in%20a%20%3CA%20title%3D%22Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202003%20to%202012%20R2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FStep-By-Step-Migrating-The-Active-Directory-Certificate-Service%2Fba-p%2F306931%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eprevious%20post%3C%2FA%3E%20detailing%20steps%20on%20Active%20Directory%20Certificate%20Service%20migration%20from%20server%20versions%20older%20than%202008%20R2.%26nbsp%3B%20Many%20subscribers%20of%20ITOpsTalk.com%20have%20reached%20out%20asking%20for%20an%20update%20of%20the%20steps%20to%20reflect%26nbsp%3BActive%20Directory%20Certificate%20Service%20migration%20from%202008%20R2%20to%202016%20%2F%202019%20and%20of%20course%20our%20team%20is%20happy%20to%20oblige.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20480px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119194i5D07B37A022C8EAE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_000_Robot.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_000_Robot.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-697674%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnthony%20Bartolo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-701883%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701883%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362579%22%20target%3D%22_blank%22%3E%40Crchad%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20heads%20up.%26nbsp%3B%20I%20updated%20the%20note%20found%20in%20the%20beginning%20of%20Step%204%20to%20address%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-702204%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-702204%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3EWill%20be%20nice%20on%20blog%20post%20with%20the%20different%20server%20name%20also%20to%20describe%20upgrade%20CA%20from%20SHA1%20to%20SHA2%20of%20the%20root%20certificate.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-707105%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-707105%22%20slang%3D%22en-US%22%3E%3CP%3Egreat%20article%2C%20thank%20you.%20I%20take%20it%20the%20process%20is%20the%20same%20for%20any%20subordinate%20CA's%3F%20And%20should%20the%20subordinates%20be%20done%20after%20the%20root%20CA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-709555%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-709555%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20is%20it%20the%20same%20for%20Offline%20root%20CA%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3B%3F%3C%2FP%3E%3CP%3EI%20have%20a%20customer%20that%20i%20will%20migrate%20next%20week%20and%20they%20have%20a%20Offline%20root%20CA%20and%20a%20publishing%20CA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-713757%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-713757%22%20slang%3D%22en-US%22%3E%3CP%3Ewhat%20are%20thoughts%20about%20doing%20an%20in%20place%20upgrade%20from%202012%20R2%20to%202016%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719431%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3B%20Any%20update%20regarding%20our%20questions%20for%20Offline%20Root%20CA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719909%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719909%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362264%22%20target%3D%22_blank%22%3E%40bradfore44%3C%2FA%3E%26nbsp%3BYes%20it%20is%20possible.%26nbsp%3B%20Supporting%20docs%20can%20be%20found%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fsupported-upgrade-paths%3FWT.mc_id%3DITOPSTALK-docs-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fsupported-upgrade-paths%3FWT.mc_id%3DITOPSTALK-docs-abartolo%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719910%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719910%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341925%22%20target%3D%22_blank%22%3E%40christianjonsson%3C%2FA%3E%26nbsp%3BStill%20working%20on%20the%20research.%26nbsp%3B%20Stay%20tuned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722377%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722377%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16527%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%20I%20put%20in%20a%20ticket%20with%20premier%20support%20referencing%20this%20ticket%20because%20I%20had%20a%20few%20follow%20up%20questions%2C%20but%20they%20came%20and%20told%20me%20that%20a%20upgrade%20directly%20from%202008%20R2%20to%202016%2F2019%20was%20not%20supported.%20I%20asked%20them%20if%20they%20had%20tested%20this%20in%20their%20lab%20according%20to%20your%20article%20and%20they%20confirmed%20that%20they%20did.%20here%20is%20their%20response%3A%20%22Unfortunately%20we%20cannot%20migrate%20the%20CA%20database%20directly%20form%20Server%202008%20R2%20to%20Server%202016%20because%20the%20JET%20database%20engine%20changed%20so%20much%20between%20the%20two%20versions%20that%20if%20we%20restore%20the%20backup%20we%20get%20a%20JET%20version%20error%20at%20startup%20and%20the%20CA%20won't%20start.%20But%20if%20we%20add%20one%20more%20step%20we%20can%20successfully%20fulfill%20the%20above%20tasks.%20This%20additional%20step%20is%20to%20first%20restore%20the%20DB%20backup%20to%20a%20Server%202012%20R2%20CA%20and%20then%20backup%20the%20DB%20again%20form%20there.%20This%20new%20backup%20now%20can%20be%20restored%20to%20the%20Server%202016%20CA.%20%22%20Is%20this%20something%20that%20you%20ran%20into%20when%20upgrading%20directly%20from%202008%20R2%20to%202016%2F2019%3F%20I%20would%20like%20to%20do%20the%20upgrade%20directly%20from%202008%20R2%20if%20possible%20and%20not%20step%20up%20to%202012%20R2%20first.%20Thanks%20in%20advance!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722604%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722604%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F367167%22%20target%3D%22_blank%22%3E%40rdp21915%3C%2FA%3EI%20have%20seen%20this%20same%20topic%20regarding%20the%20JET%20DB%20only%20one%20other%20time%20when%20researching%20this%20topic.%20%26nbsp%3B%20located%20here%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20not%20performed%20this%20upgrade%20yet%20but%20would%20like%20to%20here%20Anthony's%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722612%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722612%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F367167%22%20target%3D%22_blank%22%3E%40rdp21915%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366267%22%20target%3D%22_blank%22%3E%40dwright187%3C%2FA%3E%26nbsp%3BI%20am%20currently%20researching%20further%20requests%20in%20regards%20to%20this%20post.%26nbsp%3B%20This%20post%20was%20meant%20as%20an%20update%20to%20a%26nbsp%3B%3CA%20title%3D%22Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202003%20to%202012%20R2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FStep-By-Step-Migrating-The-Active-Directory-Certificate-Service%2Fba-p%2F306931%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eprevious%20post%3C%2FA%3E%26nbsp%3Bof%20which%20the%20steps%20above%20were%20tested.%26nbsp%3B%20The%20above%20does%20not%20work%20for%20all%20scenarios%20hence%20the%20reason%20more%20research%20is%20being%20conducted.%20Thank%20you%20in%20advance%20for%20your%20patience.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722630%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722630%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16527%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%20Thanks%20Anthony!%20I%20appreciate%20the%20quick%20response.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-725223%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725223%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%20Anthony.%3C%2FP%3E%3CP%3EI%20have%20also%20read%20an%20article%20about%20upgrading%20the%20CA%20from%202008%20to%202012%2C%20then%202016%2F2019%20before%20reading%20your%20article%2C%20which%20I%20thought%20was%20a%20welcome%20relief.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20patiently%20await%20the%20result%20of%20your%20research%20on%20this%20topic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOkei%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734920%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734920%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20updates%20on%20the%20questions%20regarding%3B%3C%2FP%3E%3CP%3E1)%20what%20about%20if%20the%20root%20is%20offline%3F%3C%2FP%3E%3CP%3E2)%20is%20it%20the%20same%20process%20to%20migrate%20the%20intermediate%20CA%20server%3F%3C%2FP%3E%3CP%3E3)%20can%20I%20use%20a%20different%20server%20name%20for%20either%20of%20the%20above%3F%20(my%20friendly%20names%20on%20both%20are%20not%20linked%20to%20the%20server%20name%20in%20any%20way)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20environment%20is%20a%202008R2%20offline%20root%2C%20and%202008R2%20intermediate%20and%20ocsp%20responder%20servers.%20All%20of%20which%20I%20would%20like%20to%20get%20onto%20Server%202019.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741493%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741493%22%20slang%3D%22en-US%22%3E%3CP%3EGlad%20you%20are%20talking%20to%20this%20point%20but%20frankly%20there%20are%20many%20more%20details%20to%20the%20migration%20that%20is%20missing.%20These%20are%20all%20covered%20in%20the%20older%2C%20but%20still%20applicable%20and%20more%20detailed%20ADCS%20Migration%20Whitepaper.%20A%20couple%20of%20items%20of%20note%20in%20your%20process%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20A%3CSPAN%3E%26nbsp%3Bvery%20important%20step%20is%20missing%20from%20this%20and%20almost%20every%20migration%20doc%20that%20MICROSOFT%20has%20on%20this%20subject.%20You%20backup%20the%20CA%20while%20it%20is%20in%20production%20which%20means%20it%20could%20issue%20certificates%20after%20the%20backup%20and%20before%20you%20remove%20the%20role.%20I%20always%20recommend%20you%20note%20the%20templates%20that%20are%20installed%20on%20the%20CA%2C%20and%20then%20remove%20them%20from%20the%20CA.%20This%20prevents%20any%20further%20issuance.%20Now%20your%20backup%20will%20be%20accurate%20and%20no%20issued%20certificate%20details%20will%20be%20lost.%20After%20moving%20to%20the%20new%20platform%2C%20add%20back%20the%20appropriate%20templates.%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E2)%20In%20your%20backup%20of%20files%20you%20aren%E2%80%99t%20including%20the%20capolicy.inf%20file%20that%20may%20be%20in%20place%20and%20defining%20very%20important%20properties%20for%20your%20CA%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E3)%20When%20the%20CA%20is%20restored%20onto%20a%20new%20computer%20it%20had%20a%20new%20AD%20SID.%20As.%20Result%20the%20CA%20will%20not%20be%20able%20to%20publish%20its%20CRL%20to%20AD%20(if%20so%20configured)%20because%20the%20old%20CA%20computer%20object%20was%20the%20only%20one%20ACL%E2%80%99d%20to%20do%20that.%20So%20this%20object%20needs%20to%20be%20updated%20to%20allow%20the%20new%20computer%20object%20to%20publish%20the%20CRL.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741987%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741987%22%20slang%3D%22en-US%22%3EThanks%20to%20all%20who%20have%20provided%20information%20so%20far%2C%20a%20comprehensive%20guide%20that%20includes%20answers%20for%20the%20queries%20raised%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F372315%22%20target%3D%22_blank%22%3E%40Thepkiguy%3C%2FA%3E%20above%20would%20be%20very%20handy.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743036%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743036%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20additional%20information.%20I%20have%20found%20other%20tech%20blogs%20where%20the%20discuss%20getting%20the%20capolicy.inf.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20CRL%20site%20is%20on%20a%20third%20server%2C%20that%20only%20does%20that.%20I%20do%20need%20to%20migrate%20that%20to%20a%20newer%20OS%20server%20as%20well.%20Will%20I%20need%20to%20worry%20about%20the%20SID%20on%20that%20server%20as%20well%2C%20or%20will%20that%20not%20be%20a%20thing%20since%20it's%20not%20a%20ADCS%20server%20per%20se%2C%20just%20an%20IIS%20server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20does%20anyone%20have%20any%20thoughts%20on%20my%20questions%20above%3F%20Or%20some%20actual%20official%20MS%20documentation%20on%20this%20topic%2C%20even%20if%20it%20is%20missing%20several%20steps%3F%20I%20have%20not%20found%20anything%20official%20on%20migrating%20ADCS%20from%20older%20OS%20to%20new%20OS.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743356%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743356%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20need%20to%20specifically%20upgrade%20your%20CRL%20Webserver%2C%20unless%20it%20too%20is%20going%20end%20of%20life.%20However%2C%20there%20is%20nothing%20it%20does%20in%20regards%20to%20the%20CRL%20or%20PKI%20that%20will%20be%20affected%20in%20AD%20by%20upgrading%20the%20OS.%20The%20ACL%20issue%20is%20just%20on%20the%20CA%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20Microsoft%20official%20migration%20doc.%20It's%20old%2C%20but%20still%20applicable.%20Usual%20caveots%20as%20I%20pointed%20out.%20There%20are%20some%20gotchas%20to%20the%20method%20they%20have%20you%20follow%20(remember%20you%20should%20remove%20templates%20before%20backups%2C%20etc.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fee126170(v%3Dws.10)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fee126170(v%3Dws.10)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743552%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743552%22%20slang%3D%22en-US%22%3E%3CP%3EOh%20nice%2C%20thank%20you!!%26nbsp%3B%20I'm%20doing%20all%20these%20upgrades%20to%20the%20OS%20as%20they%20are%20Server%202008R2%2C%20and%20so%20I'm%20getting%20off%20of%20that%20prior%20to%20January%202020%20when%20it's%20EOS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-755424%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755424%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyway%20found%20a%20good%20tool%20for%20certificate%20expiration%20notification.%20SCOM%20is%20worthless%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-755954%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755954%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362264%22%20target%3D%22_blank%22%3E%40bradfore44%3C%2FA%3E%2C%20PRTG%20Network%20Monitor%20is%20a%20useful%20tool%20as%20they%20have%20a%20SSL%20certificate%20monitor%20for%20websites%2C%20I%20have%20used%20this%20several%20times.%20Otherwise%20you%20could%20create%20a%20scheduled%20task%20that%20periodically%20runs%20a%20powershell%20script%20based%20on%20some%20of%20the%20information%20in%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fscotts-it-blog%2F2014%2F12%2F30%2Fworking-with-certificates-in-powershell%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fscotts-it-blog%2F2014%2F12%2F30%2Fworking-with-certificates-in-powershell%2F%3C%2FA%3E.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832783%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832783%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F372315%22%20target%3D%22_blank%22%3E%40Thepkiguy%3C%2FA%3E%26nbsp%3BYour%20comment%20and%20observation%20is%20a%20giant%20spot%20on!%20All%20these%20oversimplified%20migration%20guides%20from%20MSFT%20employees%2C%20that%20are%20simple%20next-next-finish-YouAreDone%20are%20extremely%20misleading.%20An%20advanced%20PKI%20in%20production%20needs%20a%20very%20careful%20planning%2C%20otherwise%20you%20can%20search%20for%20new%20job%20the%20next%20week...%20These%20blog%20posts%20wont%20reveal%20such%20depths%2C%20and%20thats%20the%20dangerous%20part%20if%20you%20read%20this%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20about%20multi-tier%20PKI%3F%20Oopsie%2C%20havent%20thought%20about%20that.%20How%20to%20handle%20offline%20rootca%3F%20Hmm%2C%20I%20forgot%20that.%20Sha1%20to%20Sha2%20key%20migrarion%3F%20Ooo...%20And%20the%20list%20goes%20on%20and%20on%20and%20on%20and%20on%20and%20on%20abd%20on...%20Hint%3A%20there%20is%20no%20recent%20MSPRESS%20book%20about%20Windows%20PKI%20since%20Brian%20Komars%202008%20book%20(yep%2C%2010yrs%20old%2C%20and%20doesnt%20handle%20many%20PKI%20and%20crypto%20fundamentals%20at%20all%2C%20that%20is%20required%20for%20the%20windows%20admin%20to%20even%20understand%20what%20they%20are%20doing%20with%20that%20sha1-%26gt%3Bsha2%20change%20etc.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-841033%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-841033%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20just%201%20enterprise%20CA%20on%202008R2%20for%20years%20now.%3CBR%20%2F%3EIt's%20working%20fine.%3C%2FP%3E%3CP%3EI%20want%20to%20go%20to%20Windows%202019.%3C%2FP%3E%3CP%3EWhile%20backupping%20everything%20I%20found%20that%20I%20don't%20have%20a%26nbsp%3B%3CSPAN%3Ecapolicy.inf%20file.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F372315%22%20target%3D%22_blank%22%3E%40Thepkiguy%3C%2FA%3E%26nbsp%3BIs%20that%20a%20problem%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-841036%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-841036%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20a%20problem%20Rob.%20Not%20every%20deployment%2FCA%20has%20a%20capolicy.inf.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916500%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916500%22%20slang%3D%22en-US%22%3E%3CP%3Ethis%20guide%20is%20not%20going%20through%20all%20the%20needed%20steps%20for%20this%20to%20work%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Yes%20you%20need%20to%20do%20a%20complete%20install%20on%20a%20server%202012%20r2%20before%20going%20to%20a%20server%202016%20or%202019.%3C%2FP%3E%3CP%3E%26nbsp%3Band%20the%20steps%20on%20a%20server%202012r2%20is%20the%20same%20going%20forward.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E!!Important%20make%20a%20copy%20of%20the%20reg%20file!!!%20we%20need%202%20of%20them%2C%20that%20is%20the%20best%20solution.%3C%2FP%3E%3CP%3E2.%20Before%20you%20install%20the%20CA%20roles%20on%20the%20new%20server%20(2012%2C16%2C19...)%20you%20need%20to%20import%20the%20reg%20entries%20into%20the%20regedit%20db%20-%20BUT%20you%20need%20to%20remove%20some%20of%20the%20entries%20first.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20in%20the%20reg%20file%20under%20the%20first%20%3A%26nbsp%3B%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CCertSvc%5CConfiguration%5D%3C%2FP%3E%3CP%3Ethere%20is%2014%20items%2C%20you%20need%20to%20cut%20them%20down%20to%20only%204%2C%20these%20in%20specific%3A%3C%2FP%3E%3CP%3E%22LDAPFlags%22%3CBR%20%2F%3E%22DBFlags%22%3CBR%20%2F%3E%22WebClientCAName%22%3CBR%20%2F%3E%22WebClientCAType%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20with%20their%20values%20in%20the%20end%20of%20them.%26nbsp%3Bthe%20sub%20folder%20in%20the%20regedit%20file%20are%20still%20there!!%3C%2FP%3E%3CP%3ESave%20the%20reg%20file%20and%20execute%2Fmerge%20it%20into%20your%20regedit%20on%20the%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20now%20go%20on%20an%20install%20the%20CA%20roles.%3C%2FP%3E%3CP%3Eservice%20will%20not%20start%26nbsp%3B%20%3D%20ok%20(see%20event%20viewer%2C%20error%2Fwarning%20%3D%20ok%20for%20now)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20restore%20the%20CA%20DB.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%26nbsp%3B%20now%20execute%2Fmerge%20the%20backup%20reg%20file%20with%20all%20the%20items%20in%2C%20not%20the%20edited%20file%20from%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E6.%20start%20the%20CA%20service%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewolla%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Equick%20tip%3A%3C%2FP%3E%3CP%3EIf%20you%20are%20going%20to%20have%20the%20server%20name%20changed%2C%20you%20have%20to%20change%20all%20the%20entries%20in%20the%20full%2C%20and%20edited%20reg%20file%20by%20search%20and%20replace%2C%20before%20you%20have%20them%20merged%2Fimported%20into%20the%20regedit%20db.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916503%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916503%22%20slang%3D%22en-US%22%3E%3CP%3Eupdate%20if%20you%20are%20missing%20CA%20templates%20after%20the%20deployment%20then%20either%20go%20into%20the%20ADSI%20for%20the%20confuguration%20of%20your%20AD%20DC%20server%20under%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3Eadsi%20-%26gt%3B%20configuration%20-%26gt%3B%20services%20-%26gt%3B%20public%20key%20services%20-%26gt%3B%20certificate%20templates%26nbsp%3B%20-%26gt%3Bin%20there%20is%20all%20your%20templates%20self%20made%20and%20auto%20generated%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20self%20made%20ones%20you%20need%20to%20import%20by%20powershell(admin%20mode)%20on%20your%20CA%20server%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecertutil%20-SetCAtemplates%20%2Byour-template-name%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20your%20have%20a%20template%20name%20with%20()%20you%20need%20to%20do%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecertutil%20-SetCAtemplates%20%2B'your-template-name'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918665%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918665%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427114%22%20target%3D%22_blank%22%3E%40RasmusJohnsen%3C%2FA%3E%26nbsp%3Byes%2C%20that%20worked!%20Now%20SCCM%20clients%20are%20working%20again%3B)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-942602%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942602%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20to%20migrate%20my%20Root-CA%20from%20Win-Server%202008R2%20to%202019.%3C%2FP%3E%3CP%3EIs%20it%20really%20necessary%20to%20first%20(inplace)%20migrate%20to%202012R2%20and%20then%20I%20would%20be%20able%20to%20migrate%20to%202019%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20anyone%20of%20you%20experience%20the%20JET-database%20issues%20trying%20to%20migrate%20the%20ADCS%20directly%20from%202008R2%20to%202019%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20about%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3B%3F%20Are%20there%20any%20updates%20to%20the%20known%20issues%3F%3C%2FP%3E%3CP%3EWould%20be%20great%20if%20you%20can%20update%20your%20Blog%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20and%20regards%2C%3C%2FP%3E%3CP%3EFlorian%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-942701%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942701%22%20slang%3D%22en-US%22%3E%3CP%3E%23flo_nuernberg%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20the%20reason%20for%20that%20is%20beacsuse%20the%20JET%20DB%20changes%20from%202008R2%20to%202012R2%20and%20so%20on.%20So%20you%20cant%20take%20that%20big%20of%20a%20jump%20beyond%202012R2%20and%20upwards.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20first%20go%20to%202012R2%20and%20then%20do%20then%20jump%20from%20there%20to%20either%202016%20or%20skip%202016%20and%20go%20to%202019.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20have%20original%20started%20with%20the%20jump%20from%202008R2%20to%202016%2C%20that%20did%20no%20work%20out%20in%20any%20way.%20So%20goining%20for%202019%20will%20have%20the%20same%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20heard%20that%20some%202%20customers%20have%20successfull%20made%20an%20inplace%20upgrade%20from%202008R2%20to%202016%2C%20but%20have%20never%20self%20been%20able%20to%20have%20a%20succesfull%20go%20on%20that%20secnario.%20And%20from%20what%20I%20learn%20was%20a%20LOT%20of%20coding%20and%20hardning%20took%20place%20and%20pure%20luck%20was%20the%20reason%20for%20their%20success.%3C%2FP%3E%3CP%3ESome%20of%20the%20CU%20windows%20updates%20sometimes%20fixes%2Fbreaks%20stuff%20we%20all%20know%20that.%20and%20in%20some%20lucky%20way%20these%20customers%20have%20been%20able%20to%20jump%20inbetween%20and%20have%20a%20success%20inplace%20upgrade.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-945457%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-945457%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20then%20to%20clarify...I%20should%2Fcan%20do%20an%20in%20place%20upgrade%20from%20my%202008R2%20to%202012R2...then%20follow%20up%20by%20building%20a%20new%202019%20server%20and%20migrating%20my%20data%20over%20to%20that%3F%20Or%20does%20the%20migration%20to%202012R2%20have%20to%20be%20done%20on%20a%20new%20server%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20can%20you%20jump%20straight%20from%202008R2%20to%202012R2%2C%20or%20do%20you%20have%20to%20do%20an%20intermediate%20to%202012%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951692%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951692%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20GGearon%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInplace%20upgrade%3A%20No%2C%20not%20from%202008R2%20to%202012R2%2C%20you%20have%20to%26nbsp%3B%20do%20a%20fresh%20install%2C%20best%20solution%20in%20any%20case.%20The%202%20cases%20I%20talked%20about%20was%20impossibly%20lucky%20cases%20i%20have%20heard%20off%2C%20out%20of%20~60%20cases.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20scenario%20is%20to%20build%202%20new%20servers.%3C%2FP%3E%3CP%3E1.%202012%20R2%3C%2FP%3E%3CP%3E1.%202016%20or%202019%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInbetween%20of%20the%202008R2%20and%202012R2%2C%20is%20the%202012%2C%20you%20dont%20need%20to%20do%20the%20jump%20to%20that%2C%20because%20the%20JET%20DB%20was%20not%20upgrades%20that%20much%2C%20but%20it%20was%20highly%20changes%20in%20the%202016%20platform%2C%20hence%20the%20%22jump%22%20step%20from%202012R2%20to%202016%20or%202019%2C%20depending%20on%20what%20OS%20version%20you%20are%20aiming%20at.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EComming%20form%20below%202012%20R2%2C%20then%20you%20have%20to%20do%20a%20clean%20install%20on%20a%202012R2%20and%20then%20from%20there%20either%20inplace%20or%20fresh%20install%20to%20the%20next%20version%20you%20like%2C%20so%20far%20it%20is%20possible%20to%20go%20directly%20to%202019%20from%202012R2%20but%20not%20from%20below%20this%20version.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-952867%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-952867%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20Rasmus%20thank%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20environment%20is%20an%20offline%20root%20CA%2C%20a%20server%20running%20as%20the%20issueing%20CA%2C%20and%20then%20a%20third%20server%20hosting%20the%20CRL.%20I%20assume%20I%20will%20need%20a%20new%202012R2%20server%20each%20of%20those%2C%20following%20the%20documented%20migration%20steps%20of%20moving%20the%20data%20and%20configurations%20over.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

End of support for Windows Server 2008 R2 has been slated by Microsoft for January 14th 2020.  Said announcement increased interest in a previous post detailing steps on Active Directory Certificate Service migration from server versions older than 2008 R2.  Many subscribers of ITOpsTalk.com have reached out asking for an update of the steps to reflect Active Directory Certificate Service migration from 2008 R2 to 2016 / 2019 and of course our team is happy to oblige. 

 

Step 1: Backup Windows Server 2008 R2 certificate authority database and its configuration
 

  1. Log in to Windows 2008 R2 Server as member of local administrator group
  2. Go to Start > Administrative Tools > Certificate Authority
  3. Right Click on Server Node > All Tasks > Backup CA
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_001.pngCertification Authority Backup CA
     
  4. Click Next on the Certification Authority Backup Wizard screen
  5. Click both check boxes to select both items to backup and provide the backup path for the file to be stored
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_002.pngCertification Authority Backup Wizard Item Selection
     
  6. Click Next
  7. Provide a password to protect private key and CA certificate file and click on next to continue
  8. Click Finish to complete the process

Step 2: Backup CA Registry Settings

 

  1. Click Start > Run > type regedit and click OK
  2. Expand the key in following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
  3. Right click on the Configuration key and click Export
  4. Provide a name, save the backup file and then click on save to complete the backup
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_003.pngBackup CA Registry Settings

Backup of the Certificates is now complete and the files can now be moved to the new Windows 2016 / 2019 server.

 

How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_004.pngCA Backup complete

 

Step 3: Uninstall CA Service from Windows Server 2008 R2

 

  1. Navigate to Server Manager
  2. Click Remove Roles under Roles Summary to start the Remove Roles Wizard, and then click Next
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_005.pngUninstalling a CA

  3. Click to clear the Active Directory Certificate Services check box and click Next
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_006.pngRemoving Active Directory Certificate Services
     
  4. Click Remove on the Confirm Removal Options page
  5. If Internet Information Services (IIS) is running and you are prompted to stop the service before you continue with the uninstall process, click OK
  6. Click Close
  7. Restart the server to complete the uninstall

Step 4: Install Windows Server 2016 / 2019 Certificate Services
 

*NOTE: The new 2016 / 2019 server needs to have the same "Name" as this point.  The screenshots below show the server name as WS2019 to highlight which server we are working on. This step-by-step highlights screenshots from Windows Server 2019. Windows Server 2016 process is the same with similar screenshots
 

  1. Log in to Windows Server 2019 as Domain Administrator or member of local administrator group
  2. Navigate to Server Manager > Add roles and features
  3. Click on next to continue in the Add Roles and features Wizard
  4. Select Role-based or Feature-based installation and click next
  5. Keep the default selection from the server selections window and click next
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_007.pngWindows Server 2019 Server Selections
     
  6. Select Active Directory Certificate Services, click next in the pop up window to acknowledge the required features that need to be added, and click next to continue
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_008.pngAdding Active Directory Certificate Services
     
  7. Click Next in the Features section to continue
  8. Review the brief description about AD CS and click next to continue
  9. Select Certificate Authority and Certification Authority Web Enrollment, click next in the pop up window to acknowledge the required features that need to be added, and click next to continue
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_009.pngWindows Server 2019 Add Role Services
     
  10. Review the brief description about IIS and click next to continue
  11. Leave the default and click next to continue
  12. Click Install to begin the installation process
  13. Close the wizard once it is complete

 

Step 5: Configure AD CS

 

In this step will look in to configuration and restoring the backup created previously

 

  1. Navigate to Server Manager > AD CS
  2. In right hand panel it will show message as following screenshot and click on More
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_010.pngAD CS
     
  3. Click on Configure Active Directory Certificate Service …… in the pop up window
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_011.pngConfigure Active Directory Certificate Service
     
  4. In the Role Configuration wizard, ensure the proper credential for Enterprise Administrator is shown and click next to continue
  5. Select Certification Authority and Certification Authority Web Enrollment and click next to continue
  6. Ensure Enterprise CA is selected the setup type and click next to continue
  7. Select Root CA as the CA type and click next to continue
  8. With this being a migration, select Use existing private key and Select a certificate and use its associated private key and click next to continue
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_012.pngAD CS Configuration
     
  9. Click Import in the AD CS Configuration window
  10. Select the key backed up during the backup process from windows 2008 R2 server. Browse and select the key from the backup we made and provide the password we used for protection and click OK.
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_013.pngImport Existing Certificate
     
  11. With the key successfully imported and select the imported certificate and click next to continue
  12. Leave the default certificate database path and click next to continue
  13. Click on configure to proceed with the configuration process
  14. Close the configuration Wizard once complete

 

Step 6: Restore CA Backup

 

  1. Navigate to Server Manager > Tools > Certification Authority
  2. Right click on server node > All Tasks > Restore CA
  3. A window will appear confirming the stop of Active Directory Certificate Services. Click OK to continue.
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_014.pngConfirm stop of Active Directory Certificate Services
  4. Click Next to start the Certification Authority Restore Wizard
  5. Click both check boxes to select both items to restore and provide the backup path for the file to be restored from
     
    How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_ 2008R2_to_2019_015.pngCertification Authority Restore Wizard
  6. Enter the password used to protect private key during the backup process and click next
  7. Click Finish to complete the restore process
  8. Click Yes to restart Active Directory Certificate Services

 

Step 7: Restore Registry info

 

  1. Navigate to the folder with the backed up registry key and double click > Run to initialize the restore
  2. Click yes to proceed with registry key restore
  3. Click OK once confirmation about the restore is shared

 

Step 8: Reissue Certificate Templates

 

It is now time to reissue the certificate with the migration process now complete.

 

  1. Under Server Manager, navigate to Tools > Certification Authority
  2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
  3. From the certificate templates list click on the appropriate certificate template and click OK

 

This concludes the Active Directory Certificate Service migration steps

37 Comments
Regular Visitor

Hi Anthony,

 

Great!

Thanks for the information and article.

 

Best Regards

Frequent Visitor

Does it matter if new server and old server have different names?

Microsoft

@bradfore44 - Yes in this scenario the old server and new server would need to have the same name.  I am currently working on writing another post that will address the need to have servers with different names.  Stay tuned.

New Contributor

@Anthony Bartolo please update the comments here when the post dealing with different server names is ready. Also, if we have an offline root, is the process basically the same, we'd just choose the appropriate CA type for the root and the intermediate server? Thanks!

Occasional Visitor
You say that the servers have the same name but in the screenshots, don’t the servers have different names?
Microsoft

@Crchad Thank you for the heads up.  I updated the note found in the beginning of Step 4 to address this.

Regular Visitor

@Anthony BartoloWill be nice on blog post with the different server name also to describe upgrade CA from SHA1 to SHA2 of the root certificate. Thanks!

Occasional Visitor

great article, thank you. I take it the process is the same for any subordinate CA's? And should the subordinates be done after the root CA?

Regular Visitor

Yes, is it the same for Offline root CA @Anthony Bartolo ?

I have a customer that i will migrate next week and they have a Offline root CA and a publishing CA.

Frequent Visitor

what are thoughts about doing an in place upgrade from 2012 R2 to 2016?

Regular Visitor

@Anthony Bartolo  Any update regarding our questions for Offline Root CA?

Microsoft
Microsoft

@christianjonsson Still working on the research.  Stay tuned.

Occasional Visitor
@Anthony Bartolo I put in a ticket with premier support referencing this ticket because I had a few follow up questions, but they came and told me that a upgrade directly from 2008 R2 to 2016/2019 was not supported. I asked them if they had tested this in their lab according to your article and they confirmed that they did. here is their response: "Unfortunately we cannot migrate the CA database directly form Server 2008 R2 to Server 2016 because the JET database engine changed so much between the two versions that if we restore the backup we get a JET version error at startup and the CA won't start. But if we add one more step we can successfully fulfill the above tasks. This additional step is to first restore the DB backup to a Server 2012 R2 CA and then backup the DB again form there. This new backup now can be restored to the Server 2016 CA. " Is this something that you ran into when upgrading directly from 2008 R2 to 2016/2019? I would like to do the upgrade directly from 2008 R2 if possible and not step up to 2012 R2 first. Thanks in advance!
Senior Member

@rdp21915I have seen this same topic regarding the JET DB only one other time when researching this topic.   located here

https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-...

 

I have not performed this upgrade yet but would like to here Anthony's response.

 

Microsoft

@rdp21915 and @dwright187 I am currently researching further requests in regards to this post.  This post was meant as an update to a previous post of which the steps above were tested.  The above does not work for all scenarios hence the reason more research is being conducted. Thank you in advance for your patience. 

Occasional Visitor
@Anthony Bartolo Thanks Anthony! I appreciate the quick response.
Occasional Visitor

Thank you, Anthony.

I have also read an article about upgrading the CA from 2008 to 2012, then 2016/2019 before reading your article, which I thought was a welcome relief.

 

I patiently await the result of your research on this topic.

 

Regards,

 

Okei

Regular Visitor

Any updates on the questions regarding;

1) what about if the root is offline?

2) is it the same process to migrate the intermediate CA server?

3) can I use a different server name for either of the above? (my friendly names on both are not linked to the server name in any way)

 

My environment is a 2008R2 offline root, and 2008R2 intermediate and ocsp responder servers. All of which I would like to get onto Server 2019.

Occasional Visitor

Glad you are talking to this point but frankly there are many more details to the migration that is missing. These are all covered in the older, but still applicable and more detailed ADCS Migration Whitepaper. A couple of items of note in your process:

 

1) A very important step is missing from this and almost every migration doc that MICROSOFT has on this subject. You backup the CA while it is in production which means it could issue certificates after the backup and before you remove the role. I always recommend you note the templates that are installed on the CA, and then remove them from the CA. This prevents any further issuance. Now your backup will be accurate and no issued certificate details will be lost. After moving to the new platform, add back the appropriate templates. 

 

2) In your backup of files you aren’t including the capolicy.inf file that may be in place and defining very important properties for your CA 

 

3) When the CA is restored onto a new computer it had a new AD SID. As. Result the CA will not be able to publish its CRL to AD (if so configured) because the old CA computer object was the only one ACL’d to do that. So this object needs to be updated to allow the new computer object to publish the CRL. 

 

Occasional Visitor
Thanks to all who have provided information so far, a comprehensive guide that includes answers for the queries raised by @Thepkiguy above would be very handy.
Regular Visitor

Thank you for the additional information. I have found other tech blogs where the discuss getting the capolicy.inf. 

 

My CRL site is on a third server, that only does that. I do need to migrate that to a newer OS server as well. Will I need to worry about the SID on that server as well, or will that not be a thing since it's not a ADCS server per se, just an IIS server?

 

Also, does anyone have any thoughts on my questions above? Or some actual official MS documentation on this topic, even if it is missing several steps? I have not found anything official on migrating ADCS from older OS to new OS. 

Occasional Visitor

No need to specifically upgrade your CRL Webserver, unless it too is going end of life. However, there is nothing it does in regards to the CRL or PKI that will be affected in AD by upgrading the OS. The ACL issue is just on the CA itself.

 

Here is the Microsoft official migration doc. It's old, but still applicable. Usual caveots as I pointed out. There are some gotchas to the method they have you follow (remember you should remove templates before backups, etc.)

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee...

Regular Visitor

Oh nice, thank you!!  I'm doing all these upgrades to the OS as they are Server 2008R2, and so I'm getting off of that prior to January 2020 when it's EOS. 

 

 

Frequent Visitor

Has anyway found a good tool for certificate expiration notification. SCOM is worthless

Occasional Visitor
@bradfore44, PRTG Network Monitor is a useful tool as they have a SSL certificate monitor for websites, I have used this several times. Otherwise you could create a scheduled task that periodically runs a powershell script based on some of the information in https://blogs.technet.microsoft.com/scotts-it-blog/2014/12/30/working-with-certificates-in-powershel....
Senior Member

@Thepkiguy Your comment and observation is a giant spot on! All these oversimplified migration guides from MSFT employees, that are simple next-next-finish-YouAreDone are extremely misleading. An advanced PKI in production needs a very careful planning, otherwise you can search for new job the next week... These blog posts wont reveal such depths, and thats the dangerous part if you read this post.

 

How about multi-tier PKI? Oopsie, havent thought about that. How to handle offline rootca? Hmm, I forgot that. Sha1 to Sha2 key migrarion? Ooo... And the list goes on and on and on and on and on abd on... Hint: there is no recent MSPRESS book about Windows PKI since Brian Komars 2008 book (yep, 10yrs old, and doesnt handle many PKI and crypto fundamentals at all, that is required for the windows admin to even understand what they are doing with that sha1->sha2 change etc.)

Visitor

We have just 1 enterprise CA on 2008R2 for years now.
It's working fine.

I want to go to Windows 2019.

While backupping everything I found that I don't have a capolicy.inf file.

@Thepkiguy Is that a problem?

Occasional Visitor

Not a problem Rob. Not every deployment/CA has a capolicy.inf. 

Regular Visitor

this guide is not going through all the needed steps for this to work out.

 

1. Yes you need to do a complete install on a server 2012 r2 before going to a server 2016 or 2019.

 and the steps on a server 2012r2 is the same going forward.

 

!!Important make a copy of the reg file!!! we need 2 of them, that is the best solution.

2. Before you install the CA roles on the new server (2012,16,19...) you need to import the reg entries into the regedit db - BUT you need to remove some of the entries first. 

- in the reg file under the first : [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration]

there is 14 items, you need to cut them down to only 4, these in specific:

"LDAPFlags"
"DBFlags"
"WebClientCAName"
"WebClientCAType"

 

Still with their values in the end of them. the sub folder in the regedit file are still there!!

Save the reg file and execute/merge it into your regedit on the server.

 

3. now go on an install the CA roles.

service will not start  = ok (see event viewer, error/warning = ok for now)

 

4. restore the CA DB.

 

5.  now execute/merge the backup reg file with all the items in, not the edited file from before.

 

6. start the CA service 

 

wolla :)

 

 

quick tip:

If you are going to have the server name changed, you have to change all the entries in the full, and edited reg file by search and replace, before you have them merged/imported into the regedit db.

 

 

 

 

Regular Visitor

update if you are missing CA templates after the deployment then either go into the ADSI for the confuguration of your AD DC server under : 

adsi -> configuration -> services -> public key services -> certificate templates  ->in there is all your templates self made and auto generated

 

The self made ones you need to import by powershell(admin mode) on your CA server:

 

certutil -SetCAtemplates +your-template-name

 

if your have a template name with () you need to do this:

 

certutil -SetCAtemplates +'your-template-name'

 

 

Visitor

@RasmusJohnsen yes, that worked! Now SCCM clients are working again;)

Occasional Visitor

Hi there,

 

I also have to migrate my Root-CA from Win-Server 2008R2 to 2019.

Is it really necessary to first (inplace) migrate to 2012R2 and then I would be able to migrate to 2019? 

 

Did anyone of you experience the JET-database issues trying to migrate the ADCS directly from 2008R2 to 2019?

 

What about you @Anthony Bartolo ? Are there any updates to the known issues?

Would be great if you can update your Blog :)

Thanks and regards,

Florian 

Regular Visitor

#flo_nuernberg

 

Yes the reason for that is beacsuse the JET DB changes from 2008R2 to 2012R2 and so on. So you cant take that big of a jump beyond 2012R2 and upwards.

 

You need to first go to 2012R2 and then do then jump from there to either 2016 or skip 2016 and go to 2019.

 

Yes have original started with the jump from 2008R2 to 2016, that did no work out in any way. So goining for 2019 will have the same issues.

 

I have heard that some 2 customers have successfull made an inplace upgrade from 2008R2 to 2016, but have never self been able to have a succesfull go on that secnario. And from what I learn was a LOT of coding and hardning took place and pure luck was the reason for their success.

Some of the CU windows updates sometimes fixes/breaks stuff we all know that. and in some lucky way these customers have been able to jump inbetween and have a success inplace upgrade.

Regular Visitor

So then to clarify...I should/can do an in place upgrade from my 2008R2 to 2012R2...then follow up by building a new 2019 server and migrating my data over to that? Or does the migration to 2012R2 have to be done on a new server as well? 

 

In addition, can you jump straight from 2008R2 to 2012R2, or do you have to do an intermediate to 2012? 

 

Thanks

Regular Visitor

Hi GGearon,

 

Inplace upgrade: No, not from 2008R2 to 2012R2, you have to  do a fresh install, best solution in any case. The 2 cases I talked about was impossibly lucky cases i have heard off, out of ~60 cases.

 

The best scenario is to build 2 new servers.

1. 2012 R2

1. 2016 or 2019

 

Inbetween of the 2008R2 and 2012R2, is the 2012, you dont need to do the jump to that, because the JET DB was not upgrades that much, but it was highly changes in the 2016 platform, hence the "jump" step from 2012R2 to 2016 or 2019, depending on what OS version you are aiming at.

 

Again:

 

Comming form below 2012 R2, then you have to do a clean install on a 2012R2 and then from there either inplace or fresh install to the next version you like, so far it is possible to go directly to 2019 from 2012R2 but not from below this version.

 

 

 

 

 

 

 

Regular Visitor

Awesome Rasmus thank you. 

 

My environment is an offline root CA, a server running as the issueing CA, and then a third server hosting the CRL. I assume I will need a new 2012R2 server each of those, following the documented migration steps of moving the data and configurations over.