Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019

Published Jun 18 2019 12:01 AM 211K Views
Microsoft

End of support for Windows Server 2008 R2 has been slated by Microsoft for January 14th 2020.  Said announcement increased interest in a previous post detailing steps on Active Directory Certificate Service migration from server versions older than 2008 R2.  Many subscribers of ITOpsTalk.com have reached out asking for an update of the steps to reflect Active Directory Certificate Service migration from 2008 R2 to 2016 / 2019 and of course our team is happy to oblige. This post contains steps on migrating the Active Directory Certificate Service to Windows Server 2019 that contains the same name. Check out this new post detailing steps on migrating the service to a newly named server should that be required.

 

Step 1: Backup Windows Server 2008 R2 certificate authority database and its configuration
 

  1. Log in to Windows 2008 R2 Server as member of local administrator group
  2. Go to Start > Administrative Tools > Certificate Authority
  3. Right Click on Server Node > All Tasks > Backup CA
     
    Certification Authority Backup CACertification Authority Backup CA
     
  4. Click Next on the Certification Authority Backup Wizard screen
  5. Click both check boxes to select both items to backup and provide the backup path for the file to be stored
     
    Certification Authority Backup Wizard Item SelectionCertification Authority Backup Wizard Item Selection
     
  6. Click Next
  7. Provide a password to protect private key and CA certificate file and click on next to continue
  8. Click Finish to complete the process

Step 2: Backup CA Registry Settings

 

  1. Click Start > Run > type regedit and click OK
  2. Expand the key in following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
  3. Right click on the Configuration key and click Export
  4. Provide a name, save the backup file and then click on save to complete the backup
     
    Backup CA Registry SettingsBackup CA Registry Settings

Backup of the Certificates is now complete and the files can now be moved to the new Windows 2016 / 2019 server.

 

CA Backup completeCA Backup complete

 

Step 3: Uninstall CA Service from Windows Server 2008 R2

 

  1. Navigate to Server Manager
  2. Click Remove Roles under Roles Summary to start the Remove Roles Wizard, and then click Next
     
    Uninstalling a CAUninstalling a CA

  3. Click to clear the Active Directory Certificate Services check box and click Next
     
    Removing Active Directory Certificate ServicesRemoving Active Directory Certificate Services
     
  4. Click Remove on the Confirm Removal Options page
  5. If Internet Information Services (IIS) is running and you are prompted to stop the service before you continue with the uninstall process, click OK
  6. Click Close
  7. Restart the server to complete the uninstall

Step 4: Install Windows Server 2016 / 2019 Certificate Services

 

*NOTE: The new 2016 / 2019 server needs to have the same "Name" as this point.  The screenshots below show the server name as WS2019 to highlight which server we are working on. This step-by-step highlights screenshots from Windows Server 2019. Windows Server 2016 process is the same with similar screenshots
 

  1. Log in to Windows Server 2019 as Domain Administrator or member of local administrator group
  2. Navigate to Server Manager > Add roles and features
  3. Click on next to continue in the Add Roles and features Wizard
  4. Select Role-based or Feature-based installation and click next
  5. Keep the default selection from the server selections window and click next
     
    Windows Server 2019 Server SelectionsWindows Server 2019 Server Selections
     
  6. Select Active Directory Certificate Services, click next in the pop up window to acknowledge the required features that need to be added, and click next to continue
     
    Adding Active Directory Certificate ServicesAdding Active Directory Certificate Services
     
  7. Click Next in the Features section to continue
  8. Review the brief description about AD CS and click next to continue
  9. Select Certificate Authority and Certification Authority Web Enrollment, click next in the pop up window to acknowledge the required features that need to be added, and click next to continue
     
    Windows Server 2019 Add Role ServicesWindows Server 2019 Add Role Services
     
  10. Review the brief description about IIS and click next to continue
  11. Leave the default and click next to continue
  12. Click Install to begin the installation process
  13. Close the wizard once it is complete

 

Step 5: Configure AD CS

 

In this step will look in to configuration and restoring the backup created previously

 

  1. Navigate to Server Manager > AD CS
  2. In right hand panel it will show message as following screenshot and click on More
     
    AD CSAD CS
     
  3. Click on Configure Active Directory Certificate Service …… in the pop up window
     
    Configure Active Directory Certificate ServiceConfigure Active Directory Certificate Service
     
  4. In the Role Configuration wizard, ensure the proper credential for Enterprise Administrator is shown and click next to continue
  5. Select Certification Authority and Certification Authority Web Enrollment and click next to continue
  6. Ensure Enterprise CA is selected the setup type and click next to continue
  7. Select Root CA as the CA type and click next to continue
  8. With this being a migration, select Use existing private key and Select a certificate and use its associated private key and click next to continue
     
    AD CS ConfigurationAD CS Configuration
     
  9. Click Import in the AD CS Configuration window
  10. Select the key backed up during the backup process from windows 2008 R2 server. Browse and select the key from the backup we made and provide the password we used for protection and click OK.
     
    Import Existing CertificateImport Existing Certificate
     
  11. With the key successfully imported and select the imported certificate and click next to continue
  12. Leave the default certificate database path and click next to continue
  13. Click on configure to proceed with the configuration process
  14. Close the configuration Wizard once complete

 

Step 6: Restore CA Backup

 

  1. Navigate to Server Manager > Tools > Certification Authority
  2. Right click on server node > All Tasks > Restore CA
  3. A window will appear confirming the stop of Active Directory Certificate Services. Click OK to continue.
     
    Confirm stop of Active Directory Certificate ServicesConfirm stop of Active Directory Certificate Services
  4. Click Next to start the Certification Authority Restore Wizard
  5. Click both check boxes to select both items to restore and provide the backup path for the file to be restored from
     
    Certification Authority Restore WizardCertification Authority Restore Wizard
  6. Enter the password used to protect private key during the backup process and click next
  7. Click Finish to complete the restore process
  8. Click Yes to restart Active Directory Certificate Services

 

Step 7: Restore Registry info

 

  1. Navigate to the folder with the backed up registry key and double click > Run to initialize the restore
  2. Click yes to proceed with registry key restore
  3. Click OK once confirmation about the restore is shared

 

Step 8: Reissue Certificate Templates

 

It is now time to reissue the certificate with the migration process now complete.

 

  1. Under Server Manager, navigate to Tools > Certification Authority
  2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
  3. From the certificate templates list click on the appropriate certificate template and click OK

 

This concludes the Active Directory Certificate Service migration steps

 

The following video also shares steps surrounding this process as well as migrating DNS.

 

94 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-698955%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698955%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Anthony%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat!%3C%2FP%3E%3CP%3EThanks%20for%20the%20information%20and%20article.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699938%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699938%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20it%20matter%20if%20new%20server%20and%20old%20server%20have%20different%20names%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700730%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700730%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362264%22%20target%3D%22_blank%22%3E%40bradfore44%3C%2FA%3E%26nbsp%3B-%20Yes%20in%20this%20scenario%20the%20old%20server%20and%20new%20server%20would%20need%20to%20have%20the%20same%20name.%26nbsp%3B%20I%20am%20currently%20working%20on%20writing%20another%20post%20that%20will%20address%20the%20need%20to%20have%20servers%20with%20different%20names.%26nbsp%3B%20Stay%20tuned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700754%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700754%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3Bplease%20update%20the%20comments%20here%20when%20the%20post%20dealing%20with%20different%20server%20names%20is%20ready.%20Also%2C%20if%20we%20have%20an%20offline%20root%2C%20is%20the%20process%20basically%20the%20same%2C%20we'd%20just%20choose%20the%20appropriate%20CA%20type%20for%20the%20root%20and%20the%20intermediate%20server%3F%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-701852%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701852%22%20slang%3D%22en-US%22%3EYou%20say%20that%20the%20servers%20have%20the%20same%20name%20but%20in%20the%20screenshots%2C%20don%E2%80%99t%20the%20servers%20have%20different%20names%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-697674%22%20slang%3D%22en-US%22%3EStep-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-697674%22%20slang%3D%22en-US%22%3E%3CP%3EEnd%20of%20support%20for%20Windows%20Server%202008%20R2%20has%20been%20slated%20by%20Microsoft%20for%20January%2014th%202020.%26nbsp%3B%20Said%20announcement%20increased%20interest%20in%20a%20%3CA%20title%3D%22Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202003%20to%202012%20R2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FStep-By-Step-Migrating-The-Active-Directory-Certificate-Service%2Fba-p%2F306931%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%3Eprevious%20post%3C%2FA%3E%20detailing%20steps%20on%20Active%20Directory%20Certificate%20Service%20migration%20from%20server%20versions%20older%20than%202008%20R2.%26nbsp%3B%20Many%20subscribers%20of%20ITOpsTalk.com%20have%20reached%20out%20asking%20for%20an%20update%20of%20the%20steps%20to%20reflect%26nbsp%3BActive%20Directory%20Certificate%20Service%20migration%20from%202008%20R2%20to%202016%20%2F%202019%20and%20of%20course%20our%20team%20is%20happy%20to%20oblige.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EStep%201%3A%20Backup%20Windows%20Server%202008%20R2%20certificate%20authority%20database%20and%20its%20configuration%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ELog%20in%20to%20Windows%202008%20R2%20Server%20as%20member%20of%20local%20administrator%20group%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EGo%20to%20Start%20%26gt%3B%20Administrative%20Tools%20%26gt%3B%20Certificate%20Authority%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERight%20Click%20on%20Server%20Node%20%26gt%3B%20All%20Tasks%20%26gt%3B%20Backup%20CA%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119122i622409C7A6B82F7C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_001.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_001.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECertification%20Authority%20Backup%20CA%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%20on%20the%26nbsp%3BCertification%20Authority%20Backup%20Wizard%20screen%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20both%20check%20boxes%26nbsp%3Bto%20select%20both%20items%20to%20backup%20and%20provide%20the%20backup%20path%20for%20the%20file%20to%20be%20stored%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119126i0CEE134B3C05A271%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_002.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_002.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECertification%20Authority%20Backup%20Wizard%20Item%20Selection%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EProvide%20a%20password%20to%20protect%20private%20key%20and%20CA%20certificate%20file%20and%20click%20on%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Finish%20to%20complete%20the%20process%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%202%3A%20Backup%20CA%20Registry%20Settings%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EClick%20Start%20%26gt%3B%20Run%20%26gt%3B%20type%26nbsp%3Bregedit%26nbsp%3Band%20click%20OK%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EExpand%20the%20key%20in%20following%20path%3A%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CCertSvc%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3ERight%3CSPAN%3E%26nbsp%3Bclick%20on%20the%20Configuration%20key%20and%20click%20Export%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EP%3CSPAN%3Erovide%20a%20name%2C%20save%20the%20backup%20file%20and%20then%20click%20on%20save%20to%20complete%20the%20backup%3CBR%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119137iF7BED13ED81660E5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_003.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_003.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EBackup%20CA%20Registry%20Settings%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EBackup%20of%20the%20Certificates%20is%20now%20complete%20and%20the%20files%20can%20now%20be%20moved%20to%20the%20new%20Windows%202016%20%2F%202019%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119138iD018328073C80C64%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_004.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_004.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECA%20Backup%20complete%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EStep%203%3A%20Uninstall%20CA%20Service%20from%20Windows%20Server%202008%20R2%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20Server%20Manager%3C%2FLI%3E%0A%3CLI%3EClick%26nbsp%3BRemove%20Roles%26nbsp%3Bunder%26nbsp%3BRoles%20Summary%26nbsp%3Bto%20start%20the%20Remove%20Roles%20Wizard%2C%20and%20then%20click%26nbsp%3BNext%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119141i54FA12CF3E98C362%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_005.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_005.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EUninstalling%20a%20CA%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EClick%20to%20clear%20the%26nbsp%3BActive%20Directory%20Certificate%20Services%26nbsp%3Bcheck%20box%20and%20click%26nbsp%3BNext%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119144iE97EFE12019D4B2D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_006.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_006.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ERemoving%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EClick%20Remove%20on%20the%26nbsp%3BConfirm%20Removal%20Options%26nbsp%3Bpage%3C%2FLI%3E%0A%3CLI%3EIf%20Internet%20Information%20Services%20(IIS)%20is%20running%20and%20you%20are%20prompted%20to%20stop%20the%20service%20before%20you%20continue%20with%20the%20uninstall%20process%2C%20click%26nbsp%3BOK%3C%2FLI%3E%0A%3CLI%3EClick%20Close%3C%2FLI%3E%0A%3CLI%20class%3D%22%22%3ERestart%20the%20server%20to%20complete%20the%20uninstall%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EStep%204%3A%20Install%20Windows%20Server%202016%20%2F%202019%20Certificate%20Services%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3E*NOTE%3A%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3EThe%20new%202016%20%2F%202019%20server%20needs%20to%20have%20the%20same%20%22Name%22%20as%20this%20point.%26nbsp%3B%20The%20screenshots%20below%20show%20the%20server%20name%20as%20WS2019%20to%20highlight%20which%20server%20we%20are%20working%20on.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EThis%20step-by-step%20highlights%20screenshots%20from%20Windows%20Server%202019.%20Windows%20Server%202016%20process%20is%20the%20same%20with%20similar%20screenshots%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ELog%20in%20to%20Windows%20Server%202019%20as%20Domain%20Administrator%20or%20member%20of%20local%20administrator%20group%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20Server%20Manager%20%26gt%3B%20Add%20roles%20and%20features%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20on%20next%20to%20continue%20in%20the%26nbsp%3BAdd%20Roles%20and%20features%20Wizard%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20Role-based%20or%20Feature-based%20installation%20and%20click%20next%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EKeep%20the%20default%20selection%20from%20the%20server%20selections%20window%20and%20click%20next%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119150i96BA79BF0A61456F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_007.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_007.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWindows%20Server%202019%20Server%20Selections%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%26nbsp%3BActive%20Directory%20Certificate%20Services%2C%20click%20next%20in%20the%20pop%20up%20window%20to%26nbsp%3Backnowledge%20the%20required%20features%20that%20need%20to%20be%20added%2C%26nbsp%3Band%20click%20next%20to%20continue%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119151i29ABADD81900F042%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_008.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_008.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAdding%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%20in%20the%20Features%20section%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EReview%20the%20brief%20description%20about%20AD%20CS%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%26nbsp%3BCertificate%20Authority%20and%20Certification%20Authority%20Web%20Enrollment%2C%26nbsp%3Bclick%20next%20in%20the%20pop%20up%20window%20to%26nbsp%3Backnowledge%20the%20required%20features%20that%20need%20to%20be%20added%2C%20and%20click%20next%20to%20continue%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119155iCD8DFC40695F0CC5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_009.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_009.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWindows%20Server%202019%20Add%20Role%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EReview%20the%20brief%20description%20about%20IIS%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELeave%20the%20default%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Install%20to%20begin%20the%20installation%20process%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClose%20the%20wizard%20once%20it%20is%20complete%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%205%3A%20Configure%20AD%20CS%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20step%20will%20look%20in%20to%20configuration%20and%20restoring%20the%20backup%20created%20previously%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20Server%20Manager%20%26gt%3B%20AD%20CS%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20right%20hand%20panel%20it%20will%20show%20message%20as%20following%20screenshot%20and%20click%20on%20More%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119159i64FB7AFC9F4FCC89%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_010.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_010.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAD%20CS%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20on%20Configure%20Active%20Directory%20Certificate%20Service%20%E2%80%A6%E2%80%A6%20in%20the%20pop%20up%20window%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119163i8477F069D095B2E7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_011.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_011.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConfigure%20Active%20Directory%20Certificate%20Service%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20the%20Role%20Configuration%20wizard%2C%20ensure%20the%20proper%20credential%20for%20Enterprise%20Administrator%20is%20shown%20and%20click%20next%20to%20continue%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20Certification%20Authority%20and%20Certification%20Authority%20Web%20Enrollment%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEnsure%26nbsp%3BEnterprise%20CA%20is%20selected%20the%20setup%20type%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20Root%20CA%20as%20the%20CA%20type%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWith%20this%20being%20a%20migration%2C%20select%20Use%20existing%20private%20key%20and%20Select%20a%20certificate%20and%20use%20its%20associated%20private%20key%20and%20click%20next%20to%20continue%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119177i2008F3E13C0059D8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_012.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_012.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAD%20CS%20Configuration%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Import%20in%20the%20AD%20CS%20Configuration%26nbsp%3B%3C%2FSPAN%3Ewindow%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20the%20key%20backed%20up%20during%20the%20backup%20process%20from%20windows%202008%20R2%20server.%20Browse%20and%20select%20the%20key%20from%20the%20backup%20we%20made%20and%20provide%20the%20password%20we%20used%20for%20protection%20and%20click%20OK.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20678px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119179i0E712415D2EA20A1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_013.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_013.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImport%20Existing%20Certificate%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWith%20the%26nbsp%3Bkey%20successfully%20imported%20and%20select%20the%20imported%20certificate%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELeave%20the%20default%20certificate%20database%20path%20and%20click%20next%20to%20continue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20on%20configure%20to%20proceed%20with%20the%20configuration%20process%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClose%20the%20configuration%20Wizard%20once%20complete%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%206%3A%20Restore%20CA%20Backup%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20Server%20Manager%20%26gt%3B%20Tools%20%26gt%3B%20Certification%26nbsp%3B%3C%2FSPAN%3EAuthority%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERight%20click%20on%20server%20node%20%26gt%3B%20All%20Tasks%20%26gt%3B%20Restore%20CA%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EA%20window%20will%20appear%20confirming%20the%20stop%20of%20Active%20Directory%20Certificate%20Services.%20Click%20OK%20to%20continue.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20782px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119181iEE730772F86C5E12%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_014.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_014.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConfirm%20stop%20of%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Next%20to%20start%20the%26nbsp%3BCertification%20Authority%20Restore%20Wizard%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20both%20check%20boxes%26nbsp%3Bto%20select%20both%20items%20to%20restore%20and%20provide%20the%20backup%20path%20for%20the%20file%20to%20be%20restored%20from%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119182i94861E0DB38EEB1A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_015.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_015.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ECertification%20Authority%20Restore%20Wizard%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEnter%20the%20password%20used%20to%20protect%20private%20key%20during%20the%20backup%20process%20and%20click%20next%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Finish%20to%20complete%20the%20restore%20process%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20Yes%20to%20restart%20Active%20Directory%20Certificate%20Services%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%207%3A%20Restore%20Registry%20info%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20the%20folder%20with%20the%20backed%20up%20registry%20key%20and%20double%20click%20%26gt%3B%20Run%20to%20initialize%20the%20restore%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20yes%20to%20proceed%20with%20registry%20key%20restore%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20OK%20once%20confirmation%20about%20the%20restore%20is%20shared%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EStep%208%3A%20Reissue%20Certificate%20Templates%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt%20is%20now%20time%20to%20reissue%20the%20certificate%20with%20the%20migration%20process%20now%26nbsp%3B%3C%2FSPAN%3Ecomplete.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EUnder%20Server%20Manager%2C%20navigate%20to%20Tools%20%26gt%3B%20Certification%20Authority%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERight%20click%20on%20Certificate%20Templates%20Folder%20%26gt%3B%20New%20%26gt%3B%20Certificate%20Template%20to%20Reissue%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFrom%20the%20certificate%20templates%20list%20click%20on%20the%20appropriate%20certificate%20template%20and%20click%20OK%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20concludes%20the%26nbsp%3BActive%20Directory%20Certificate%20Service%20migration%20steps%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-697674%22%20slang%3D%22en-US%22%3E%3CP%3EEnd%20of%20support%20for%20Windows%20Server%202008%20R2%20has%20been%20slated%20by%20Microsoft%20for%20January%2014th%202020.%26nbsp%3B%20Said%20announcement%20increased%20interest%20in%20a%20%3CA%20title%3D%22Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202003%20to%202012%20R2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FStep-By-Step-Migrating-The-Active-Directory-Certificate-Service%2Fba-p%2F306931%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%3Eprevious%20post%3C%2FA%3E%20detailing%20steps%20on%20Active%20Directory%20Certificate%20Service%20migration%20from%20server%20versions%20older%20than%202008%20R2.%26nbsp%3B%20Many%20subscribers%20of%20ITOpsTalk.com%20have%20reached%20out%20asking%20for%20an%20update%20of%20the%20steps%20to%20reflect%26nbsp%3BActive%20Directory%20Certificate%20Service%20migration%20from%202008%20R2%20to%202016%20%2F%202019%20and%20of%20course%20our%20team%20is%20happy%20to%20oblige.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20480px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119194i5D07B37A022C8EAE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_000_Robot.png%22%20title%3D%22How_To_Migrate_The_Active_Directory_Certificate_Service_From_Windows_Server_%202008R2_to_2019_000_Robot.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-697674%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnthony%20Bartolo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-701883%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701883%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362579%22%20target%3D%22_blank%22%3E%40Crchad%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20heads%20up.%26nbsp%3B%20I%20updated%20the%20note%20found%20in%20the%20beginning%20of%20Step%204%20to%20address%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-702204%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-702204%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3EWill%20be%20nice%20on%20blog%20post%20with%20the%20different%20server%20name%20also%20to%20describe%20upgrade%20CA%20from%20SHA1%20to%20SHA2%20of%20the%20root%20certificate.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-707105%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-707105%22%20slang%3D%22en-US%22%3E%3CP%3Egreat%20article%2C%20thank%20you.%20I%20take%20it%20the%20process%20is%20the%20same%20for%20any%20subordinate%20CA's%3F%20And%20should%20the%20subordinates%20be%20done%20after%20the%20root%20CA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-709555%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-709555%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20is%20it%20the%20same%20for%20Offline%20root%20CA%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3B%3F%3C%2FP%3E%3CP%3EI%20have%20a%20customer%20that%20i%20will%20migrate%20next%20week%20and%20they%20have%20a%20Offline%20root%20CA%20and%20a%20publishing%20CA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-713757%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-713757%22%20slang%3D%22en-US%22%3E%3CP%3Ewhat%20are%20thoughts%20about%20doing%20an%20in%20place%20upgrade%20from%202012%20R2%20to%202016%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719431%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3B%20Any%20update%20regarding%20our%20questions%20for%20Offline%20Root%20CA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719909%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719909%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362264%22%20target%3D%22_blank%22%3E%40bradfore44%3C%2FA%3E%26nbsp%3BYes%20it%20is%20possible.%26nbsp%3B%20Supporting%20docs%20can%20be%20found%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fsupported-upgrade-paths%3FWT.mc_id%3DITOPSTALK-docs-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fsupported-upgrade-paths%3FWT.mc_id%3DITOPSTALK-docs-abartolo%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719910%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719910%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341925%22%20target%3D%22_blank%22%3E%40christianjonsson%3C%2FA%3E%26nbsp%3BStill%20working%20on%20the%20research.%26nbsp%3B%20Stay%20tuned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722377%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722377%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16527%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%20I%20put%20in%20a%20ticket%20with%20premier%20support%20referencing%20this%20ticket%20because%20I%20had%20a%20few%20follow%20up%20questions%2C%20but%20they%20came%20and%20told%20me%20that%20a%20upgrade%20directly%20from%202008%20R2%20to%202016%2F2019%20was%20not%20supported.%20I%20asked%20them%20if%20they%20had%20tested%20this%20in%20their%20lab%20according%20to%20your%20article%20and%20they%20confirmed%20that%20they%20did.%20here%20is%20their%20response%3A%20%22Unfortunately%20we%20cannot%20migrate%20the%20CA%20database%20directly%20form%20Server%202008%20R2%20to%20Server%202016%20because%20the%20JET%20database%20engine%20changed%20so%20much%20between%20the%20two%20versions%20that%20if%20we%20restore%20the%20backup%20we%20get%20a%20JET%20version%20error%20at%20startup%20and%20the%20CA%20won't%20start.%20But%20if%20we%20add%20one%20more%20step%20we%20can%20successfully%20fulfill%20the%20above%20tasks.%20This%20additional%20step%20is%20to%20first%20restore%20the%20DB%20backup%20to%20a%20Server%202012%20R2%20CA%20and%20then%20backup%20the%20DB%20again%20form%20there.%20This%20new%20backup%20now%20can%20be%20restored%20to%20the%20Server%202016%20CA.%20%22%20Is%20this%20something%20that%20you%20ran%20into%20when%20upgrading%20directly%20from%202008%20R2%20to%202016%2F2019%3F%20I%20would%20like%20to%20do%20the%20upgrade%20directly%20from%202008%20R2%20if%20possible%20and%20not%20step%20up%20to%202012%20R2%20first.%20Thanks%20in%20advance!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722604%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722604%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F367167%22%20target%3D%22_blank%22%3E%40rdp21915%3C%2FA%3EI%20have%20seen%20this%20same%20topic%20regarding%20the%20JET%20DB%20only%20one%20other%20time%20when%20researching%20this%20topic.%20%26nbsp%3B%20located%20here%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20not%20performed%20this%20upgrade%20yet%20but%20would%20like%20to%20here%20Anthony's%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722612%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722612%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F367167%22%20target%3D%22_blank%22%3E%40rdp21915%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366267%22%20target%3D%22_blank%22%3E%40dwright187%3C%2FA%3E%26nbsp%3BI%20am%20currently%20researching%20further%20requests%20in%20regards%20to%20this%20post.%26nbsp%3B%20This%20post%20was%20meant%20as%20an%20update%20to%20a%26nbsp%3B%3CA%20title%3D%22Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202003%20to%202012%20R2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FStep-By-Step-Migrating-The-Active-Directory-Certificate-Service%2Fba-p%2F306931%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%3Eprevious%20post%3C%2FA%3E%26nbsp%3Bof%20which%20the%20steps%20above%20were%20tested.%26nbsp%3B%20The%20above%20does%20not%20work%20for%20all%20scenarios%20hence%20the%20reason%20more%20research%20is%20being%20conducted.%20Thank%20you%20in%20advance%20for%20your%20patience.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722630%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722630%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16527%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%20Thanks%20Anthony!%20I%20appreciate%20the%20quick%20response.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-725223%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725223%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%20Anthony.%3C%2FP%3E%3CP%3EI%20have%20also%20read%20an%20article%20about%20upgrading%20the%20CA%20from%202008%20to%202012%2C%20then%202016%2F2019%20before%20reading%20your%20article%2C%20which%20I%20thought%20was%20a%20welcome%20relief.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20patiently%20await%20the%20result%20of%20your%20research%20on%20this%20topic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOkei%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734920%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734920%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20updates%20on%20the%20questions%20regarding%3B%3C%2FP%3E%3CP%3E1)%20what%20about%20if%20the%20root%20is%20offline%3F%3C%2FP%3E%3CP%3E2)%20is%20it%20the%20same%20process%20to%20migrate%20the%20intermediate%20CA%20server%3F%3C%2FP%3E%3CP%3E3)%20can%20I%20use%20a%20different%20server%20name%20for%20either%20of%20the%20above%3F%20(my%20friendly%20names%20on%20both%20are%20not%20linked%20to%20the%20server%20name%20in%20any%20way)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20environment%20is%20a%202008R2%20offline%20root%2C%20and%202008R2%20intermediate%20and%20ocsp%20responder%20servers.%20All%20of%20which%20I%20would%20like%20to%20get%20onto%20Server%202019.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741493%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741493%22%20slang%3D%22en-US%22%3E%3CP%3EGlad%20you%20are%20talking%20to%20this%20point%20but%20frankly%20there%20are%20many%20more%20details%20to%20the%20migration%20that%20is%20missing.%20These%20are%20all%20covered%20in%20the%20older%2C%20but%20still%20applicable%20and%20more%20detailed%20ADCS%20Migration%20Whitepaper.%20A%20couple%20of%20items%20of%20note%20in%20your%20process%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20A%3CSPAN%3E%26nbsp%3Bvery%20important%20step%20is%20missing%20from%20this%20and%20almost%20every%20migration%20doc%20that%20MICROSOFT%20has%20on%20this%20subject.%20You%20backup%20the%20CA%20while%20it%20is%20in%20production%20which%20means%20it%20could%20issue%20certificates%20after%20the%20backup%20and%20before%20you%20remove%20the%20role.%20I%20always%20recommend%20you%20note%20the%20templates%20that%20are%20installed%20on%20the%20CA%2C%20and%20then%20remove%20them%20from%20the%20CA.%20This%20prevents%20any%20further%20issuance.%20Now%20your%20backup%20will%20be%20accurate%20and%20no%20issued%20certificate%20details%20will%20be%20lost.%20After%20moving%20to%20the%20new%20platform%2C%20add%20back%20the%20appropriate%20templates.%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E2)%20In%20your%20backup%20of%20files%20you%20aren%E2%80%99t%20including%20the%20capolicy.inf%20file%20that%20may%20be%20in%20place%20and%20defining%20very%20important%20properties%20for%20your%20CA%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E3)%20When%20the%20CA%20is%20restored%20onto%20a%20new%20computer%20it%20had%20a%20new%20AD%20SID.%20As.%20Result%20the%20CA%20will%20not%20be%20able%20to%20publish%20its%20CRL%20to%20AD%20(if%20so%20configured)%20because%20the%20old%20CA%20computer%20object%20was%20the%20only%20one%20ACL%E2%80%99d%20to%20do%20that.%20So%20this%20object%20needs%20to%20be%20updated%20to%20allow%20the%20new%20computer%20object%20to%20publish%20the%20CRL.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741987%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741987%22%20slang%3D%22en-US%22%3EThanks%20to%20all%20who%20have%20provided%20information%20so%20far%2C%20a%20comprehensive%20guide%20that%20includes%20answers%20for%20the%20queries%20raised%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F372315%22%20target%3D%22_blank%22%3E%40Thepkiguy%3C%2FA%3E%20above%20would%20be%20very%20handy.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743036%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743036%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20additional%20information.%20I%20have%20found%20other%20tech%20blogs%20where%20the%20discuss%20getting%20the%20capolicy.inf.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20CRL%20site%20is%20on%20a%20third%20server%2C%20that%20only%20does%20that.%20I%20do%20need%20to%20migrate%20that%20to%20a%20newer%20OS%20server%20as%20well.%20Will%20I%20need%20to%20worry%20about%20the%20SID%20on%20that%20server%20as%20well%2C%20or%20will%20that%20not%20be%20a%20thing%20since%20it's%20not%20a%20ADCS%20server%20per%20se%2C%20just%20an%20IIS%20server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20does%20anyone%20have%20any%20thoughts%20on%20my%20questions%20above%3F%20Or%20some%20actual%20official%20MS%20documentation%20on%20this%20topic%2C%20even%20if%20it%20is%20missing%20several%20steps%3F%20I%20have%20not%20found%20anything%20official%20on%20migrating%20ADCS%20from%20older%20OS%20to%20new%20OS.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743356%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743356%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20need%20to%20specifically%20upgrade%20your%20CRL%20Webserver%2C%20unless%20it%20too%20is%20going%20end%20of%20life.%20However%2C%20there%20is%20nothing%20it%20does%20in%20regards%20to%20the%20CRL%20or%20PKI%20that%20will%20be%20affected%20in%20AD%20by%20upgrading%20the%20OS.%20The%20ACL%20issue%20is%20just%20on%20the%20CA%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20Microsoft%20official%20migration%20doc.%20It's%20old%2C%20but%20still%20applicable.%20Usual%20caveots%20as%20I%20pointed%20out.%20There%20are%20some%20gotchas%20to%20the%20method%20they%20have%20you%20follow%20(remember%20you%20should%20remove%20templates%20before%20backups%2C%20etc.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fee126170(v%3Dws.10)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fee126170(v%3Dws.10)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743552%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743552%22%20slang%3D%22en-US%22%3E%3CP%3EOh%20nice%2C%20thank%20you!!%26nbsp%3B%20I'm%20doing%20all%20these%20upgrades%20to%20the%20OS%20as%20they%20are%20Server%202008R2%2C%20and%20so%20I'm%20getting%20off%20of%20that%20prior%20to%20January%202020%20when%20it's%20EOS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-755424%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755424%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyway%20found%20a%20good%20tool%20for%20certificate%20expiration%20notification.%20SCOM%20is%20worthless%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-755954%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755954%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362264%22%20target%3D%22_blank%22%3E%40bradfore44%3C%2FA%3E%2C%20PRTG%20Network%20Monitor%20is%20a%20useful%20tool%20as%20they%20have%20a%20SSL%20certificate%20monitor%20for%20websites%2C%20I%20have%20used%20this%20several%20times.%20Otherwise%20you%20could%20create%20a%20scheduled%20task%20that%20periodically%20runs%20a%20powershell%20script%20based%20on%20some%20of%20the%20information%20in%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fscotts-it-blog%2F2014%2F12%2F30%2Fworking-with-certificates-in-powershell%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fscotts-it-blog%2F2014%2F12%2F30%2Fworking-with-certificates-in-powershell%2F%3C%2FA%3E.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832783%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832783%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F372315%22%20target%3D%22_blank%22%3E%40Thepkiguy%3C%2FA%3E%26nbsp%3BYour%20comment%20and%20observation%20is%20a%20giant%20spot%20on!%20All%20these%20oversimplified%20migration%20guides%20from%20MSFT%20employees%2C%20that%20are%20simple%20next-next-finish-YouAreDone%20are%20extremely%20misleading.%20An%20advanced%20PKI%20in%20production%20needs%20a%20very%20careful%20planning%2C%20otherwise%20you%20can%20search%20for%20new%20job%20the%20next%20week...%20These%20blog%20posts%20wont%20reveal%20such%20depths%2C%20and%20thats%20the%20dangerous%20part%20if%20you%20read%20this%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20about%20multi-tier%20PKI%3F%20Oopsie%2C%20havent%20thought%20about%20that.%20How%20to%20handle%20offline%20rootca%3F%20Hmm%2C%20I%20forgot%20that.%20Sha1%20to%20Sha2%20key%20migrarion%3F%20Ooo...%20And%20the%20list%20goes%20on%20and%20on%20and%20on%20and%20on%20and%20on%20abd%20on...%20Hint%3A%20there%20is%20no%20recent%20MSPRESS%20book%20about%20Windows%20PKI%20since%20Brian%20Komars%202008%20book%20(yep%2C%2010yrs%20old%2C%20and%20doesnt%20handle%20many%20PKI%20and%20crypto%20fundamentals%20at%20all%2C%20that%20is%20required%20for%20the%20windows%20admin%20to%20even%20understand%20what%20they%20are%20doing%20with%20that%20sha1-%26gt%3Bsha2%20change%20etc.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-841033%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-841033%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20just%201%20enterprise%20CA%20on%202008R2%20for%20years%20now.%3CBR%20%2F%3EIt's%20working%20fine.%3C%2FP%3E%3CP%3EI%20want%20to%20go%20to%20Windows%202019.%3C%2FP%3E%3CP%3EWhile%20backupping%20everything%20I%20found%20that%20I%20don't%20have%20a%26nbsp%3B%3CSPAN%3Ecapolicy.inf%20file.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F372315%22%20target%3D%22_blank%22%3E%40Thepkiguy%3C%2FA%3E%26nbsp%3BIs%20that%20a%20problem%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-841036%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-841036%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20a%20problem%20Rob.%20Not%20every%20deployment%2FCA%20has%20a%20capolicy.inf.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916500%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916500%22%20slang%3D%22en-US%22%3E%3CP%3Ethis%20guide%20is%20not%20going%20through%20all%20the%20needed%20steps%20for%20this%20to%20work%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Yes%20you%20need%20to%20do%20a%20complete%20install%20on%20a%20server%202012%20r2%20before%20going%20to%20a%20server%202016%20or%202019.%3C%2FP%3E%3CP%3E%26nbsp%3Band%20the%20steps%20on%20a%20server%202012r2%20is%20the%20same%20going%20forward.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E!!Important%20make%20a%20copy%20of%20the%20reg%20file!!!%20we%20need%202%20of%20them%2C%20that%20is%20the%20best%20solution.%3C%2FP%3E%3CP%3E2.%20Before%20you%20install%20the%20CA%20roles%20on%20the%20new%20server%20(2012%2C16%2C19...)%20you%20need%20to%20import%20the%20reg%20entries%20into%20the%20regedit%20db%20-%20BUT%20you%20need%20to%20remove%20some%20of%20the%20entries%20first.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20in%20the%20reg%20file%20under%20the%20first%20%3A%26nbsp%3B%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CCertSvc%5CConfiguration%5D%3C%2FP%3E%3CP%3Ethere%20is%2014%20items%2C%20you%20need%20to%20cut%20them%20down%20to%20only%204%2C%20these%20in%20specific%3A%3C%2FP%3E%3CP%3E%22LDAPFlags%22%3CBR%20%2F%3E%22DBFlags%22%3CBR%20%2F%3E%22WebClientCAName%22%3CBR%20%2F%3E%22WebClientCAType%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20with%20their%20values%20in%20the%20end%20of%20them.%26nbsp%3Bthe%20sub%20folder%20in%20the%20regedit%20file%20are%20still%20there!!%3C%2FP%3E%3CP%3ESave%20the%20reg%20file%20and%20execute%2Fmerge%20it%20into%20your%20regedit%20on%20the%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20now%20go%20on%20an%20install%20the%20CA%20roles.%3C%2FP%3E%3CP%3Eservice%20will%20not%20start%26nbsp%3B%20%3D%20ok%20(see%20event%20viewer%2C%20error%2Fwarning%20%3D%20ok%20for%20now)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20restore%20the%20CA%20DB.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%26nbsp%3B%20now%20execute%2Fmerge%20the%20backup%20reg%20file%20with%20all%20the%20items%20in%2C%20not%20the%20edited%20file%20from%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E6.%20start%20the%20CA%20service%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewolla%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Equick%20tip%3A%3C%2FP%3E%3CP%3EIf%20you%20are%20going%20to%20have%20the%20server%20name%20changed%2C%20you%20have%20to%20change%20all%20the%20entries%20in%20the%20full%2C%20and%20edited%20reg%20file%20by%20search%20and%20replace%2C%20before%20you%20have%20them%20merged%2Fimported%20into%20the%20regedit%20db.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916503%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916503%22%20slang%3D%22en-US%22%3E%3CP%3Eupdate%20if%20you%20are%20missing%20CA%20templates%20after%20the%20deployment%20then%20either%20go%20into%20the%20ADSI%20for%20the%20confuguration%20of%20your%20AD%20DC%20server%20under%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3Eadsi%20-%26gt%3B%20configuration%20-%26gt%3B%20services%20-%26gt%3B%20public%20key%20services%20-%26gt%3B%20certificate%20templates%26nbsp%3B%20-%26gt%3Bin%20there%20is%20all%20your%20templates%20self%20made%20and%20auto%20generated%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20self%20made%20ones%20you%20need%20to%20import%20by%20powershell(admin%20mode)%20on%20your%20CA%20server%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecertutil%20-SetCAtemplates%20%2Byour-template-name%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20your%20have%20a%20template%20name%20with%20()%20you%20need%20to%20do%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecertutil%20-SetCAtemplates%20%2B'your-template-name'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918665%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918665%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427114%22%20target%3D%22_blank%22%3E%40RasmusJohnsen%3C%2FA%3E%26nbsp%3Byes%2C%20that%20worked!%20Now%20SCCM%20clients%20are%20working%20again%3B)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-942602%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942602%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20to%20migrate%20my%20Root-CA%20from%20Win-Server%202008R2%20to%202019.%3C%2FP%3E%3CP%3EIs%20it%20really%20necessary%20to%20first%20(inplace)%20migrate%20to%202012R2%20and%20then%20I%20would%20be%20able%20to%20migrate%20to%202019%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20anyone%20of%20you%20experience%20the%20JET-database%20issues%20trying%20to%20migrate%20the%20ADCS%20directly%20from%202008R2%20to%202019%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20about%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3B%3F%20Are%20there%20any%20updates%20to%20the%20known%20issues%3F%3C%2FP%3E%3CP%3EWould%20be%20great%20if%20you%20can%20update%20your%20Blog%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20and%20regards%2C%3C%2FP%3E%3CP%3EFlorian%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-942701%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942701%22%20slang%3D%22en-US%22%3E%3CP%3E%23flo_nuernberg%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20the%20reason%20for%20that%20is%20beacsuse%20the%20JET%20DB%20changes%20from%202008R2%20to%202012R2%20and%20so%20on.%20So%20you%20cant%20take%20that%20big%20of%20a%20jump%20beyond%202012R2%20and%20upwards.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20first%20go%20to%202012R2%20and%20then%20do%20then%20jump%20from%20there%20to%20either%202016%20or%20skip%202016%20and%20go%20to%202019.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20have%20original%20started%20with%20the%20jump%20from%202008R2%20to%202016%2C%20that%20did%20no%20work%20out%20in%20any%20way.%20So%20goining%20for%202019%20will%20have%20the%20same%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20heard%20that%20some%202%20customers%20have%20successfull%20made%20an%20inplace%20upgrade%20from%202008R2%20to%202016%2C%20but%20have%20never%20self%20been%20able%20to%20have%20a%20succesfull%20go%20on%20that%20secnario.%20And%20from%20what%20I%20learn%20was%20a%20LOT%20of%20coding%20and%20hardning%20took%20place%20and%20pure%20luck%20was%20the%20reason%20for%20their%20success.%3C%2FP%3E%3CP%3ESome%20of%20the%20CU%20windows%20updates%20sometimes%20fixes%2Fbreaks%20stuff%20we%20all%20know%20that.%20and%20in%20some%20lucky%20way%20these%20customers%20have%20been%20able%20to%20jump%20inbetween%20and%20have%20a%20success%20inplace%20upgrade.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-945457%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-945457%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20then%20to%20clarify...I%20should%2Fcan%20do%20an%20in%20place%20upgrade%20from%20my%202008R2%20to%202012R2...then%20follow%20up%20by%20building%20a%20new%202019%20server%20and%20migrating%20my%20data%20over%20to%20that%3F%20Or%20does%20the%20migration%20to%202012R2%20have%20to%20be%20done%20on%20a%20new%20server%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20can%20you%20jump%20straight%20from%202008R2%20to%202012R2%2C%20or%20do%20you%20have%20to%20do%20an%20intermediate%20to%202012%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951692%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951692%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20GGearon%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInplace%20upgrade%3A%20No%2C%20not%20from%202008R2%20to%202012R2%2C%20you%20have%20to%26nbsp%3B%20do%20a%20fresh%20install%2C%20best%20solution%20in%20any%20case.%20The%202%20cases%20I%20talked%20about%20was%20impossibly%20lucky%20cases%20i%20have%20heard%20off%2C%20out%20of%20~60%20cases.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20scenario%20is%20to%20build%202%20new%20servers.%3C%2FP%3E%3CP%3E1.%202012%20R2%3C%2FP%3E%3CP%3E1.%202016%20or%202019%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInbetween%20of%20the%202008R2%20and%202012R2%2C%20is%20the%202012%2C%20you%20dont%20need%20to%20do%20the%20jump%20to%20that%2C%20because%20the%20JET%20DB%20was%20not%20upgrades%20that%20much%2C%20but%20it%20was%20highly%20changes%20in%20the%202016%20platform%2C%20hence%20the%20%22jump%22%20step%20from%202012R2%20to%202016%20or%202019%2C%20depending%20on%20what%20OS%20version%20you%20are%20aiming%20at.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EComming%20form%20below%202012%20R2%2C%20then%20you%20have%20to%20do%20a%20clean%20install%20on%20a%202012R2%20and%20then%20from%20there%20either%20inplace%20or%20fresh%20install%20to%20the%20next%20version%20you%20like%2C%20so%20far%20it%20is%20possible%20to%20go%20directly%20to%202019%20from%202012R2%20but%20not%20from%20below%20this%20version.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-952867%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-952867%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20Rasmus%20thank%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20environment%20is%20an%20offline%20root%20CA%2C%20a%20server%20running%20as%20the%20issueing%20CA%2C%20and%20then%20a%20third%20server%20hosting%20the%20CRL.%20I%20assume%20I%20will%20need%20a%20new%202012R2%20server%20each%20of%20those%2C%20following%20the%20documented%20migration%20steps%20of%20moving%20the%20data%20and%20configurations%20over.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1026037%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1026037%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20topic%2Fclear%20instructions%2C%20thanks%20Anthony!%3C%2FP%3E%3CP%3EDid%20you%20have%20a%20chance%20to%20write%20related%20article%20about%20scenario%20where%20the%20%5Bdestination%5D%20server%20name%20is%20different%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1027371%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1027371%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3EAlexander-A%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20you%20are%20going%20to%20have%20the%20server%20name%20changed%2C%20you%20have%20to%20change%20all%20the%20entries%20in%20the%20full%2C%20and%20edited%20reg%20file%20by%20search%20and%20replace%2C%20before%20you%20have%20them%20merged%2Fimported%20into%20the%20regedit%20db.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20read%20the%20full%20explaniations%20in%209%20comments%20up%20from%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046862%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046862%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20process%20work%20for%20migrating%20from%20a%20Windows%20Server%202008%2032bit%20RootCA%20to%20a%20Server%202019%20RootCA%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046898%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046898%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20it%20does.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1062981%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1062981%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427114%22%20target%3D%22_blank%22%3E%40RasmusJohnsen%3C%2FA%3E%26nbsp%3BI%20am%20the%20Feature%20PM%20at%20Microsoft%20for%20ADCS%20and%20I%20need%20to%20point%20out%20some%20issues%20in%20your%20replies%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWhen%20migrating%20from%202008R2%20to%202016%20or%202019%20the%20interim%20step%20of%20going%20to%202012R2%20first%20is%26nbsp%3B%3CSTRONG%3Enot%20required%3C%2FSTRONG%3E.%20That%20interim%20step%20is%20only%20required%20if%20you're%20starting%20with%202008%20or%20earlier.%3C%2FLI%3E%0A%3CLI%3EYour%20comment%20about%20removing%20all%20but%20the%204%20entries%20from%20the%20registry%20backup%20is%20also%20not%20required.%3C%2FLI%3E%0A%3CLI%3EYour%20reply%20regarding%20using%20certutil%20to%20add%20custom%20templates%20after%20a%20migration%20is%20a%20workaround%20and%20not%20a%20real%20solution.%20Occasionally%2C%20during%20a%20migration%20a%20couple%20of%20things%20may%20happen%20that%20prevent%20you%20from%20being%20able%20to%20publish%20custom%20templates%20with%20the%20GUI.%20One%20solution%20is%20to%20use%20ADSIEdit%20and%20navigate%20to%26nbsp%3BCN%3DConfiguration%20%7C%20CN%3DServices%20%7C%20CN%3DPublic%20Key%20Services%20%7C%20CN%3DEnrollment%20Services.%20Right%20click%20the%20CA%20in%20the%20right%20pane%20that%20you%20want%20to%20enroll%20from%20and%20click%20properties.%20Find%20the%20flags%20attribute%3B%20and%20verify%20that%20it%20is%20set%20to%2010.%20If%20it%20isn%E2%80%99t%20set%20to%2010%2C%20then%20set%20it%20to%2010%20using%20ADSIedit.msc%20and%20allow%20for%20Active%20Directory%20replication%20to%20complete.%20The%20second%20thing%20to%20try%20is%20to%20run%26nbsp%3Bcertutil%20-setreg%20ca%5Csetupstatus%20%2B512%20on%20the%20CA.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EHope%20these%20clarifications%20help%20you%20folks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072791%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486816%22%20target%3D%22_blank%22%3E%40Paul_Adare%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20ready%20to%20migrate%20a%202008%2032bit%20CA%20to%20Server%202019.%26nbsp%3B%20Do%20I%20need%20to%20go%20to%202012%20R2%20first%20complete%20they%20migration%20and%20then%20upgrade%20to%20Server%202019.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073493%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073493%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F240602%22%20target%3D%22_blank%22%3E%40Nathan%20Lamonski%3C%2FA%3E%26nbsp%3BYes%2C%20you%20can%20only%20skip%20the%202012%20R2%20step%20if%20you're%20starting%20with%202008%26nbsp%3B%3CSTRONG%3ER2%3C%2FSTRONG%3E.%20Anything%20prior%20to%20that%20requires%20the%202012%20R2%20interim%20step.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073519%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073519%22%20slang%3D%22en-US%22%3E%3CP%3EPaul_Adare%3C%2FP%3E%3CP%3ENo%20you%20can't%2C%20if%20you%20have%202008R2%20CA%20server%20you%20%3CSTRONG%3Ecan%20not%3C%2FSTRONG%3E%20skip%20the%202012(R2)%20step.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emaybe%20on%20paper%20but%20not%20in%20real%20secanario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073520%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427114%22%20target%3D%22_blank%22%3E%40RasmusJohnsen%3C%2FA%3E%26nbsp%3BI'm%20not%20going%20to%20argue%20about%20this%20with.%20As%20I%20said%2C%20I%20own%20Active%20Directory%20Certificate%20Services%20at%20Microsoft%20and%20this%20has%20been%20tested%2C%20and%20yes%2C%20when%20migrating%20from%202008%20R2%20to%202016%20or%202019%2C%20you%20do%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20need%20the%20interim%20step%20of%202012%20R2.%20The%20Jet%20database%20change%20that%20requires%20this%20step%20was%20implemented%20after%202008%20was%20released%20and%20before%202008%20R2%20was%20released.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073758%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073758%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486816%22%20target%3D%22_blank%22%3E%40Paul_Adare%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20clarification%20and%20probably%20saved%20me%20a%20major%20head%20ache%20had%20I%20skipped%202012%20R2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075316%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075316%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486816%22%20target%3D%22_blank%22%3E%40Paul_Adare%3C%2FA%3E%2C%20Hi%20Paul%2C%20since%20you%20own%20ADCA%20at%20MS%20and%20know%20better%20than%20anyone%20else%2C%20I%20have%20two%20questions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20have%201%20root%20offline%20CA%20and%20two%20online%20CA%20in%20AD.%20They%20are%20Windows%202008%20R2.%20I%20understand%20there%20isn't%20any%20new%20certificate%20templates%20from%20Windows%202008%20R2%20to%20Windows%202012%20R2%20CA.%20After%20I%20introduce%20a%20new%20Windows%202016%20or%20Windows%202019%20online%20CA%20server%20in%20AD%2C%20are%20there%20going%20to%20have%20any%20new%20enterprise%20certificate%20templates%20that%20we%20should%20be%20aware%20of%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecondly%2C%20which%20is%20the%20best%20practice%20recommended%20by%20MS%3F%201)%20do%20an%20in-place%20OS%20upgrade%20from%20Windows%202008%20R2%20to%20Windows%202012%20R2%20to%20Windows%202016%2F2019%3F%20or%202)%20build%20a%20new%20Windows%202016%2F2019%20CA%20then%20migrate%20the%20CA%20role%20from%20Windows%202008%20R2%20CA%3F%20or%20either%20one%20should%20be%20fine%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CP%3EDean%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075900%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075900%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102389%22%20target%3D%22_blank%22%3E%40Dean%20Chen%3C%2FA%3E%26nbsp%3BNo%2C%20there%20are%20no%20new%20templates%2C%20though%20that%20really%20doesn't%20matter%20since%20you%20can%20take%20any%20default%20template%20and%20modify%20it%20for%20pretty%20much%20any%20use%20you%20need.%20Some%20will%20require%20less%20editing%2Fchanging%20than%20others%20but%20that's%20about%20it.%3C%2FP%3E%0A%3CP%3EMy%20personal%20preference%20is%20to%20avoid%20in-place%20upgrades%2C%20especially%20those%20that%20start%20with%20more%20than%20an%20N-1%20version.%20Migrating%20a%20CA%20is%20a%20fairly%20painless%20procedure%2C%20and%20is%20very%20well%20tested%20and%20documented.%20In%20my%20team%2C%20we%20have%20a%20specific%20policy%20of%20not%20doing%20in-place%20upgrades%20on%20our%20CAs.%20Note%20that%20this%20should%20not%20be%20considered%20official%20Microsoft%20guidance%2C%20just%20my%20preference%2C%20established%20over%2020%20some%20odd%20years%20of%20experience.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076591%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076591%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486816%22%20target%3D%22_blank%22%3E%40Paul_Adare%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20environment%20is%20exactly%20the%20same%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102389%22%20target%3D%22_blank%22%3E%40Dean%20Chen%3C%2FA%3E%26nbsp%3B%20all%20running%20on%202008R2.%20I'm%20also%20against%20in%20place%20upgrades%20if%20they%20can%20be%20avoided.%20So%20this%20thread%20initially%20had%20me%20concerned%20I%20was%20going%20to%20have%20to%20in%20place%20upgrade%20to%202012R2.%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20your%20clarification%2C%20it%20sounds%20like%20I%20just%20build%203%20new%202019%20servers%2C%20install%20ADCS%2C%20export%20the%20configurations%20out%20of%20my%202008R2%20servers%20and%20then%20import%20it%20into%20my%202019%20servers.%20Done!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3ESound%20right%3F%20You%20mentioned%20this%20is%20well%20documented%20and%20tested.%20Yet%20we%20are%20all%20on%20this%20thread%20in%20this%20MS%20blog%2C%20because%20there%20is%20a%20serious%20lack%20of%20official%20MS%20documentation%20on%20this.%20I%20miss%20the%20old%20days%20when%20MS%20provided%20great%20technical%20docs%20on%20everything.%20Now%20it%20seems%2C%20you%20have%20to%20rely%20on%20the%20community%20and%20their%20experiences.%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076718%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370089%22%20target%3D%22_blank%22%3E%40GGearon%3C%2FA%3E%26nbsp%3BThe%20documentation%20I%20was%20referring%20to%20is%20in%20regards%20to%20performing%20a%20migration.%20The%20only%20documentation%20about%20needing%20to%20go%20to%202012%20R2%20as%20an%20interim%20step%20is%20documented%20in%20the%20Wiki%20and%20specifically%20refers%20to%202008%20and%20not%20to%202008%20R2%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20loads%20of%20articles%20regarding%20migration%20in%20general%2C%20nothing%20really%20specific%20to%202019%20but%20the%20process%20is%20exactly%20the%20same.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn486805(v%253Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn486805(v%253Dws.11)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077227%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077227%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486816%22%20target%3D%22_blank%22%3E%40Paul_Adare%3C%2FA%3EThanks%20so%20much%20for%20your%20comments%20in%20this%20post%20and%20confirming%20the%20current%20Microsoft%20Windows%202012%20R2%20CA%20migration%20document%20works%20for%20Windows%202016%2F2019%20CA%20migration%20as%20well.%20This%20clears%20a%20few%20doubts%20in%20my%20mind.%20%3A%3D)%26nbsp%3B%20It%20would%20be%20nice%20to%20have%20an%20official%20Microsoft%20document%20that%20could%20combine%20Windows%202012%20R2%20CA%20migration%20document%20and%20this%20post%20for%20Windows%202016%2F2019.%20It%20took%20me%20for%20a%20while%20to%20search%20answers%20until%20I%20found%20this%20post.%20Not%20sure%20how%20many%20others%20are%20still%20scratching%20their%20heads.%20%3A%3D)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370089%22%20target%3D%22_blank%22%3E%40GGearon%3C%2FA%3EMy%20thought%20is%20that%20with%20this%20post%20as%20the%20guideline%20for%20Windows%202016%2F2019%20CA%2C%20we%20just%20need%20to%20follow%20the%20steps%20in%20Windows%202012%20R2%20CA%20migration%20document%20that%20Paul%20shared.%20that%20should%20be%20it.%20Good%20luck!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3EThanks%20for%20posting%20this%20document%20here%20too!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EDean%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077618%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077618%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20wanted%20to%20say%20thank%20you%20for%20making%20this%20step%20by%20step%20guide%20available.%26nbsp%3B%20I%20migrated%20my%20Server%202008%2032%20bit%20Enterprise%20Root%20CA%20to%20Windows%20Server%202019%20with%20out%20any%20issues.%26nbsp%3B%20Just%20wanted%20to%20say%20thanks%20for%20making%20this%20documentation%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1085866%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1085866%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102838%22%20target%3D%22_blank%22%3E%40Anthony%20Bartolo%3C%2FA%3E%26nbsp%3BDid%20you%20ever%20manage%20to%20create%20an%20article%20for%20migrating%20to%20a%20server%20with%20a%20different%20name%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1124705%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1124705%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%20Is%20this%20the%20same%20for%20any%20subordinate%20CAs%3F%20And%20should%20the%20subordinates%20be%20done%20after%20the%20root%20CA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20Article.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101923%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Migrating%20The%20Active%20Directory%20Certificate%20Service%20From%20Windows%20Server%202008%20R2%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486816%22%20target%3D%22_blank%22%3E%40Paul_Adare%3C%2FA%3E%26nbsp%3BI'm%20glad%20I%20read%20through%20all%20the%20comments%20to%20see%20your%20contribution.%20Kinda%20makes%20a%20big%20difference%20to%20-%20we%20have%20too%20much%202008r2%20migration%20activity%20going%20on%20to%20be%20dealing%20with%20pointless%20doubling%20of%20ADCS%20migration%20efforts%2C%20so%20I%20thank%20you%20very%20much.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20you%20referenced%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn486805(v%253Dws.11%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn486805(v%253Dws.11%3C%2FA%3E)%20and%20from%20reading%20through%20(as%20best%20as%20a%20guy%20with%20ADHD%20is%20able)%2C%20I%20don't%20see%20reference%20to%20using%20a%20different%20destination%20server%20name.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20older%20article%20does%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fee126170(v%3Dws.10)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fee126170(v%3Dws.10)%3C%2FA%3E.%20See%20the%20dirty%20yellow%20text%20box.%20However%2C%20it's%20an%20earlier%20articles%20by%20a%20few%20years.%20I'm%20thinking%20it%20IS%20still%20possible%20to%20have%20a%20different%20Server%20name%20(not%20changing%20the%20CA%20name)%20using%20the%20same%20procedures%2C%20but%20it%20would%20be%20nice%20to%20have%20that%20clarified%20on%20here%20and%20also%20factored%20into%20MS%20publications.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jul 09 2021 12:30 PM
Updated by: