Support for both Windows Server 2003 and 2003 R2 ended on July 14th, 2015, and yet there are still several organizations operating their businesses on it. There are still a vast number of IT professionals in midst of planning migration. This guide, originally shared by Microsoft MVP Dishan Francis, will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.
This demonstration will use the following setup.
Windows Server 2003 R2 Enterprise x86
AD CS (Enterprise Certificate Authority)
Windows Server 2012 R2 x64
Step 1: Backup Windows Server 2003 certificate authority database and its configuration
Log in to Windows 2003 Server as member of local administrator group
Go to Start > Administrative Tools > Certificate Authority
Right Click on Server Node > All Tasks > Backup CA
This will open the Certification Authority Backup Wizard. Click Next to continue.
In next window click on check boxes to select options as highlighted and click on Browse to provide the backup file path location where it will save the backup file. Then click on Next to continue.
Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue
In next window it will provide the confirmation and click on Finish to complete the process
Step 2: Backup CA Registry Settings
Click Start > Run and then type regedit and click Ok
Expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
Right click on Configuration key and click on Export
In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup.
Now we have the backup of the CA and move these files to the new windows 2012 R2 server.
Step 3: Uninstall CA Service from Windows Server 2003
Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
Click on Start > Control Panel > Add or Remove Programs
Next click on Add/Remove Windows Components
In next window remove the tick in Certificate Services and click on Next to continue.
Click on Finish once the process is completed.
With Certificate Authority Services now removed from Windows Server 2003, the next step is to configure Windows Server 2012 CA services.
Step 4: Install Windows Server 2012 R2 Certificate Services
Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
Go to Server Manager > Add roles and features
This will open the Add roles and features wizard. Click next to continue.
Then next window, select Role-based or Feature-based installation and click next to continue.
From the server selections keep the default selection and click on next to continue.
In next window click on tick box to select the Active Directory Certificate Services role and a notification will pop up acknowledging the required features need to be added. Click on add features to add them.
Next, in features section, we will let it run with default. Click next to continue.
In next window, a brief description about AD CS is provided. Review and click next to continue.
Next you are given the option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click Next to continue.
Since Certification Authority Web Enrollment is selected, it will require IIS. So next window it will give brief description about IIS. Review and click next.
The next window gives an option to add IIS role services. Leave it as default and click next to continue.
The final window will give confirmation about the services to be installed. Review and click on Install to start the installation.
Close the wizard once installation is complete.
Step 5: Configure AD CS
In this step, we will investigate the configuration and restoring backup we created previously.
Log in to server as Enterprise Administrator
Go to Server Manager > AD CS
The panel on the right will show message as highlighted in yellow. Click on More.
A window will open, and you will need to click on Configure Active Directory Certificate Service ……
This will open role the configuration wizard which gives an option to change the credential. As we are already logged in as Enterprise administrator, we can leave the default and click next to continue.
The next window will ask which service you like to configure. Select both Certification Authority and Certification Authority Web Enrollment and click next to continue.
Next will be Enterprise CA requirement. In next window select Enterprise CA as the setup type and click next to continue.
In the next window, select Root CA as the CA type and click next to continue.
The next option is especially important. If this were a new installation, we would only need to create new private key. But since it’s a migration process, we already have a backup of the private key. So, select the options as highlighted in screenshot. Then click on Next to continue
In next window click on Import.
Next you are given the option to select the key we backed up during the backup process from the Windows 2003 server. Browse and select the key from the backup we made, provide the password we used for protection and then click OK.
With the key successfully imported, in next window select the imported certificate and click Next to continue.
In the next window, we can define certificate database path. In here I will leave it default and click next to continue.
The next window it will provide the configuration confirmation. Review and click on Configure to proceed with the process.
Once completed, click on Close to exit from the configuration wizard.
Step 6: Restore CA Backup
Now it’s comes to the most important part of the process which is to restore the CA backup made from Windows Server 2003.
Go To Server Manager > Tools > Certification Authority
Next right click on server node > All Tasks > Restore CA
Then it will ask if it’s okay to stop the certificate service to proceed. Click OK.
This will open the Certification Authority Restore Wizard. Click next to continue.
In the next window, browse the folder where we stored the backup and select it. Then select the options as highlighted in the screenshot below. Click Next to continue.
The next window gives an option to enter the password we used to protect private key during the backup process. Once it is entered, click Next to continue.
In next window click Finish to complete the import process.
Once the import process is completed, the system will ask if it’s okay to start the certificate service again. At this point start the service to bring it back online.
Step 7: Restore Registry info
During the CA backup process, we also backed up the registry key and it is now time to restore it.
Open the folder which contains the backup reg key and double click on the key.
Click Yes to proceed with restoring the registry key.
Once completed, details regarding the successful restore will be displayed.
Step 8: Reissue Certificate Templates
With the migration process now completed, it’s now time to reissue the certificates. I had template setup in Windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
Open the Certification Authority Snap-in.
Right click on Certificate Templates Folder > New > Certificate Template to Reissue
From the certificate templates list click on the appropriate certificate template and click OK.
Step 9: Test the CA
In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup a Windows PC called demo1 and added it to the canitpro.local domain. Once it’s loaded for the first time on the server, open the Certification Authority Snap-in, expand the Issued Certificate section and you can clearly see the new certificate it issued for the PC.
This confirms the migration is successful and completes the migration process.
Below is also an informative video detailing other considerations when migrating from Windows Server 2003.