Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2
Published Dec 27 2018 12:01 AM 21.7K Views
Microsoft

Support for both Windows Server 2003 and 2003 R2 ended on July 14th, 2015, and yet there are still several organizations operating their businesses on it. There are still a vast number of IT professionals in midst of planning migration. This guide, originally shared by Microsoft MVP Dishan Francis, will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.

 Windows_Server_2003_Certificate_Migration_001.png

 

 

This demonstration will use the following setup.

 

Server Name

Operating System

Server Roles

canitpro-casrv.canitpro.local

Windows Server 2003 R2 Enterprise x86

AD CS (Enterprise Certificate Authority)

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

-

 

 

Step 1: Backup Windows Server 2003 certificate authority database and its configuration
 

  1. Log in to Windows 2003 Server as member of local administrator group
     
  2. Go to Start > Administrative Tools > Certificate Authority
     
  3. Right Click on Server Node > All Tasks > Backup CA
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_002.png
     
  4. This will open the Certification Authority Backup Wizard. Click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_003.jpg
     
  5. In next window click on check boxes to select options as highlighted and click on Browse to provide the backup file path location where it will save the backup file. Then click on Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_004.jpg
     
  6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue
     
  7. In next window it will provide the confirmation and click on Finish to complete the process

 

Step 2: Backup CA Registry Settings
 

  1. Click Start > Run and then type regedit and click Ok
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_006.jpg
     
  2. Expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
     
  3. Right click on Configuration key and click on Export
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_007.jpg
     
  4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_008.jpg
     
  5. Now we have the backup of the CA and move these files to the new windows 2012 R2 server. 
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_009.jpg
     

Step 3: Uninstall CA Service from Windows Server 2003
 

Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
 

  1. Click on Start > Control Panel > Add or Remove Programs
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_010.jpg
     
  2. Next click on Add/Remove Windows Components
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_011.jpg
     
  3. In next window remove the tick in Certificate Services and click on Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_012.jpg
     
  4. Click on Finish once the process is completed.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_013.jpg
     

With Certificate Authority Services now removed from Windows Server 2003, the next step is to configure Windows Server 2012 CA services.
 

Step 4: Install Windows Server 2012 R2 Certificate Services
 

  1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
     
  2. Go to Server Manager > Add roles and features
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_014.jpg
     
  3. This will open the Add roles and features wizard. Click next to continue.
     
  4. Then next window, select Role-based or Feature-based installation and click next to continue.
     
  5. From the server selections keep the default selection and click on next to continue.
     
  6. In next window click on tick box to select the Active Directory Certificate Services role and a notification will pop up acknowledging the required features need to be added. Click on add features to add them.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_015.jpg
     
  7. Next, in features section, we will let it run with default. Click next to continue.
     
  8. In next window, a brief description about AD CS is provided. Review and click next to continue.
     
  9. Next you are given the option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_016.jpg
     
  10. Since Certification Authority Web Enrollment is selected, it will require IIS. So next window it will give brief description about IIS. Review and click next.
     
  11. The next window gives an option to add IIS role services. Leave it as default and click next to continue.
     
  12. The final window will give confirmation about the services to be installed. Review and click on Install to start the installation.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_017.jpg
     
  13. Close the wizard once installation is complete.
     

Step 5: Configure AD CS
 

In this step, we will investigate the configuration and restoring backup we created previously.
 

  1. Log in to server as Enterprise Administrator
     
  2. Go to Server Manager > AD CS
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_018.jpg
     
  3. The panel on the right will show message as highlighted in yellow. Click on More.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_019.jpg
     
  4. A window will open, and you will need to click on Configure Active Directory Certificate Service ……
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_020.jpg
     
  5. This will open role the configuration wizard which gives an option to change the credential. As we are already logged in as Enterprise administrator, we can leave the default and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_021.jpg
     
  6. The next window will ask which service you like to configure. Select both Certification Authority and Certification Authority Web Enrollment and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_022.jpg
     
  7. Next will be Enterprise CA requirement. In next window select Enterprise CA as the setup type and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_023.jpg
     

  8. In the next window, select Root CA as the CA type and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_024.jpg
     
  9. The next option is especially important. If this were a new installation, we would only need to create new private key. But since it’s a migration process, we already have a backup of the private key. So, select the options as highlighted in screenshot. Then click on Next to continue
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_025.jpg
     
  10. In next window click on Import.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_026.jpg
     
  11. Next you are given the option to select the key we backed up during the backup process from the Windows 2003 server. Browse and select the key from the backup we made, provide the password we used for protection and then click OK.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_027.jpg
     
  12. With the key successfully imported, in next window select the imported certificate and click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_028.jpg
     
  13. In the next window, we can define certificate database path. In here I will leave it default and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_029.jpg
     
  14. The next window it will provide the configuration confirmation. Review and click on Configure to proceed with the process.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_030.jpg
     
  15. Once completed, click on Close to exit from the configuration wizard.
     

Step 6: Restore CA Backup
 

Now it’s comes to the most important part of the process which is to restore the CA backup made from Windows Server 2003.
 

  1. Go To Server Manager > Tools > Certification Authority
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_031.jpg
     
  2. Next right click on server node > All Tasks > Restore CA
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_032.jpg
     
  3. Then it will ask if it’s okay to stop the certificate service to proceed. Click OK.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_033.jpg
     
  4. This will open the Certification Authority Restore Wizard.  Click next to continue.
     
  5. In the next window, browse the folder where we stored the backup and select it. Then select the options as highlighted in the screenshot below. Click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_034.jpg
     
  6. The next window gives an option to enter the password we used to protect private key during the backup process. Once it is entered, click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_035.jpg
     
  7. In next window click Finish to complete the import process.
     
  8. Once the import process is completed, the system will ask if it’s okay to start the certificate service again. At this point start the service to bring it back online.
     

Step 7: Restore Registry info
 

During the CA backup process, we also backed up the registry key and it is now time to restore it.
 

  1. Open the folder which contains the backup reg key and double click on the key.
     
  2. Click Yes to proceed with restoring the registry key.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_036.jpg
     
  3. Once completed, details regarding the successful restore will be displayed. 
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_037.jpg
     

Step 8: Reissue Certificate Templates
 

With the migration process now completed, it’s now time to reissue the certificates. I had template setup in Windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
 

  1. Open the Certification Authority Snap-in.
     
  2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_038.jpg
     
  3. From the certificate templates list click on the appropriate certificate template and click OK.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_039.jpg

Step 9: Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup a Windows PC called demo1 and added it to the canitpro.local domain. Once it’s loaded for the first time on the server, open the Certification Authority Snap-in, expand the Issued Certificate section and you can clearly see the new certificate it issued for the PC.
 
Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_040.jpg
 
This confirms the migration is successful and completes the migration process.

 

Below is also an informative video detailing other considerations when migrating from Windows Server 2003.

 

19 Comments
Co-Authors
Version history
Last update:
‎Jul 09 2021 08:14 AM
Updated by: