Step-By-Step: Migrating Active Directory Certificate Service From Windows Server 2008 R2 to 2019
Published May 13 2021 03:01 AM 70.5K Views
Microsoft

Extended support for Windows Server 2008 and Windows Server 2008 R2 ended on January 14, 2020. Extended Security Updates (ESUs) were supported through January 9, 2024 for Azure-hosted environments (and through January 10, 2023 for non-Azure), but the ESU program provides critical and important security updates and bulletins, not support. We are closing comments on this blog post at this time and will archive it on February 28, 2024.


Windows Server 2008 R2 achieved end of support via Microsoft on January 14th 2020. In a previous post, steps were detailed on Active Directory Certificate Service migration from 2008 R2 to 2019 but required the new Windows Server 2019 server to have the same name as the previous 2008 R2 server.  Many of you have reached out asking for an update of the steps to reflect Active Directory Certificate Service migration from 2008 R2 to 2016 / 2019 containing a different name.  A solution has been found and tested with repeatable steps shared below.

 

NOTE: The following was tested in a lab environment. While the solution was successful it may not reflect your organization's current setup. Please test the steps below in a lab environment prior to implementing on production.

 

Step 1: Backup Windows Server 2008 R2 certificate authority database and its configuration
 

  1. Log in to Windows 2008 R2 Server as member of local administrator group
  2. Go to Start > Administrative Tools > Certificate Authority
  3. Right Click on Server Node > All Tasks > Backup CA
     
    Certification Authority Backup CACertification Authority Backup CA
     
  4. Click Next on the Certification Authority Backup Wizard screen
  5. Click both check boxes to select both items to backup and provide the backup path for the file to be stored
     
    Certification Authority Backup Wizard Item SelectionCertification Authority Backup Wizard Item Selection
     
  6. Click Next
  7. Provide a password to protect private key and CA certificate file and click on next to continue
  8. Click Finish to complete the process

Step 2: Backup CA Registry Settings

 

  1. Click Start > Run > type regedit and click OK
  2. Expand the key in following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
  3. Right click on the Configuration key and click Export
  4. Provide a name, save the backup file and then click on save to complete the backup
     
    Backup CA Registry SettingsBackup CA Registry Settings

Backup of the Certificates is now complete and the files can now be moved to the new Windows 2016 / 2019 server.

 

CA Backup completeCA Backup complete

 

Step 3: Uninstall CA Service from Windows Server 2008 R2

 

  1. Navigate to Server Manager
  2. Click Remove Roles under Roles Summary to start the Remove Roles Wizard, and then click Next
     
    Uninstalling a CAUninstalling a CA

  3. Click to clear the Active Directory Certificate Services check box and click Next
     
    Removing Active Directory Certificate ServicesRemoving Active Directory Certificate Services
     
  4. Click Remove on the Confirm Removal Options page
  5. If Internet Information Services (IIS) is running and you are prompted to stop the service before you continue with the uninstall process, click OK
  6. Click Close
  7. Restart the server to complete the uninstall

Step 4: Install Windows Server 2016 / 2019 Certificate Services

 

*NOTE: The screenshots below show the server name as WS2019 to highlight which server we are working on. This step-by-step highlights screenshots from Windows Server 2019. Windows Server 2016 process is the same with similar screenshots
 

  1. Log in to Windows Server 2019 as Domain Administrator or member of local administrator group
  2. Navigate to Server Manager > Add roles and features
  3. Click on next to continue in the Add Roles and features Wizard
  4. Select Role-based or Feature-based installation and click next
  5. Keep the default selection from the server selections window and click next
     
    Windows Server 2019 Server SelectionsWindows Server 2019 Server Selections
     
  6. Select Active Directory Certificate Services, click next in the pop up window to acknowledge the required features that need to be added, and click next to continue
     
    Adding Active Directory Certificate ServicesAdding Active Directory Certificate Services
     
  7. Click Next in the Features section to continue
  8. Review the brief description about AD CS and click next to continue
  9. Select Certificate Authority and Certification Authority Web Enrollment, click next in the pop up window to acknowledge the required features that need to be added, and click next to continue
     
    Windows Server 2019 Add Role ServicesWindows Server 2019 Add Role Services
     
  10. Review the brief description about IIS and click next to continue
  11. Leave the default and click next to continue
  12. Click Install to begin the installation process
  13. Close the wizard once it is complete

 

Step 5: Configure AD CS

 

In this step will look in to configuration and restoring the backup created previously

 

  1. Navigate to Server Manager > AD CS
  2. In right hand panel it will show message as following screenshot and click on More
     
    AD CSAD CS
     
  3. Click on Configure Active Directory Certificate Service …… in the pop up window
     
    Configure Active Directory Certificate ServiceConfigure Active Directory Certificate Service
     
  4. In the Role Configuration wizard, ensure the proper credential for Enterprise Administrator is shown and click next to continue
  5. Select Certification Authority and Certification Authority Web Enrollment and click next to continue
  6. Ensure Enterprise CA is selected the setup type and click next to continue
  7. Select Root CA as the CA type and click next to continue
  8. With this being a migration, select Use existing private key and Select a certificate and use its associated private key and click next to continue
     
    AD CS ConfigurationAD CS Configuration
     
  9. Click Import in the AD CS Configuration window
  10. Select the key backed up during the backup process from windows 2008 R2 server. Browse and select the key from the backup we made and provide the password we used for protection and click OK.
     
    Import Existing CertificateImport Existing Certificate
     
  11. With the key successfully imported and select the imported certificate and click next to continue
  12. Leave the default certificate database path and click next to continue
  13. Click on configure to proceed with the configuration process
  14. Close the configuration Wizard once complete
  15. Open the Command Prompt in Administrator Mode
  16. Run the following to stop certificate services
     
    net stop certsvc
  17. Open the registry file exported from the Windows 2008 server in Notepad
     
    NOTE: Please ensure you have tested this in lab first prior to completing these steps. While the solution was successful in lab it may not reflect your organization's current setup and may disrupt your service. Microsoft is not liable for any possible disruption that may occur.

  18. Locate CAServerName and change the value to the name of the NEW 2016 / 2019 Windows Server
     
    Modify registry fileModify registry file
     
  19. Save the changes in Notepad

 

Step 6: Restore CA Backup

 

  1. Navigate to Server Manager > Tools > Certification Authority
  2. Right click on server node > All Tasks > Restore CA
  3. A window will appear confirming the stop of Active Directory Certificate Services. Click OK to continue.
     
    Confirm stop of Active Directory Certificate ServicesConfirm stop of Active Directory Certificate Services
  4. Click Next to start the Certification Authority Restore Wizard
  5. Click both check boxes to select both items to restore and provide the backup path for the file to be restored from
     
    Certification Authority Restore WizardCertification Authority Restore Wizard
  6. Enter the password used to protect private key during the backup process and click next
  7. Click Finish to complete the restore process
  8. Click Yes to restart Active Directory Certificate Services

 

Step 7: Restore Registry info

 

  1. Navigate to the folder containing the backed-up registry key with the newly edited CAServerName value and double click > Run to initialize the restore
  2. Click yes to proceed with registry key restore
  3. Click OK once confirmation about the restore is shared

 

Step 8: Reissue Certificate Templates

 

It is now time to reissue the certificate with the migration process now complete.

 

  1. Under Server Manager, navigate to Tools > Certification Authority
  2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
  3. From the certificate templates list click on the appropriate certificate template and click OK

 

This completes the Active Directory Certificate Service migration steps from 2008 R2 to 2016 / 2019 containing a different server name. 

 

The following video also shares steps surrounding this process as well as migrating DNS.

 

17 Comments
Co-Authors
Version history
Last update:
‎Feb 01 2024 09:28 AM
Updated by: