Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2
Published Dec 27 2018 12:01 AM 30.2K Views
Microsoft

Support for both Windows Server 2003 and 2003 R2 ended on July 14th, 2015, and yet there are still several organizations operating their businesses on it. There are still a vast number of IT professionals in midst of planning migration. This guide, originally shared by Microsoft MVP Dishan Francis, will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.

 Windows_Server_2003_Certificate_Migration_001.png

 

 

This demonstration will use the following setup.

 

Server Name

Operating System

Server Roles

canitpro-casrv.canitpro.local

Windows Server 2003 R2 Enterprise x86

AD CS (Enterprise Certificate Authority)

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

-

 

 

Step 1: Backup Windows Server 2003 certificate authority database and its configuration
 

  1. Log in to Windows 2003 Server as member of local administrator group
     
  2. Go to Start > Administrative Tools > Certificate Authority
     
  3. Right Click on Server Node > All Tasks > Backup CA
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_002.png
     
  4. This will open the Certification Authority Backup Wizard. Click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_003.jpg
     
  5. In next window click on check boxes to select options as highlighted and click on Browse to provide the backup file path location where it will save the backup file. Then click on Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_004.jpg
     
  6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue
     
  7. In next window it will provide the confirmation and click on Finish to complete the process

 

Step 2: Backup CA Registry Settings
 

  1. Click Start > Run and then type regedit and click Ok
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_006.jpg
     
  2. Expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
     
  3. Right click on Configuration key and click on Export
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_007.jpg
     
  4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_008.jpg
     
  5. Now we have the backup of the CA and move these files to the new windows 2012 R2 server. 
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_009.jpg
     

Step 3: Uninstall CA Service from Windows Server 2003
 

Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
 

  1. Click on Start > Control Panel > Add or Remove Programs
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_010.jpg
     
  2. Next click on Add/Remove Windows Components
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_011.jpg
     
  3. In next window remove the tick in Certificate Services and click on Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_012.jpg
     
  4. Click on Finish once the process is completed.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_013.jpg
     

With Certificate Authority Services now removed from Windows Server 2003, the next step is to configure Windows Server 2012 CA services.
 

Step 4: Install Windows Server 2012 R2 Certificate Services
 

  1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
     
  2. Go to Server Manager > Add roles and features
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_014.jpg
     
  3. This will open the Add roles and features wizard. Click next to continue.
     
  4. Then next window, select Role-based or Feature-based installation and click next to continue.
     
  5. From the server selections keep the default selection and click on next to continue.
     
  6. In next window click on tick box to select the Active Directory Certificate Services role and a notification will pop up acknowledging the required features need to be added. Click on add features to add them.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_015.jpg
     
  7. Next, in features section, we will let it run with default. Click next to continue.
     
  8. In next window, a brief description about AD CS is provided. Review and click next to continue.
     
  9. Next you are given the option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_016.jpg
     
  10. Since Certification Authority Web Enrollment is selected, it will require IIS. So next window it will give brief description about IIS. Review and click next.
     
  11. The next window gives an option to add IIS role services. Leave it as default and click next to continue.
     
  12. The final window will give confirmation about the services to be installed. Review and click on Install to start the installation.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_017.jpg
     
  13. Close the wizard once installation is complete.
     

Step 5: Configure AD CS
 

In this step, we will investigate the configuration and restoring backup we created previously.
 

  1. Log in to server as Enterprise Administrator
     
  2. Go to Server Manager > AD CS
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_018.jpg
     
  3. The panel on the right will show message as highlighted in yellow. Click on More.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_019.jpg
     
  4. A window will open, and you will need to click on Configure Active Directory Certificate Service ……
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_020.jpg
     
  5. This will open role the configuration wizard which gives an option to change the credential. As we are already logged in as Enterprise administrator, we can leave the default and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_021.jpg
     
  6. The next window will ask which service you like to configure. Select both Certification Authority and Certification Authority Web Enrollment and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_022.jpg
     
  7. Next will be Enterprise CA requirement. In next window select Enterprise CA as the setup type and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_023.jpg
     

  8. In the next window, select Root CA as the CA type and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_024.jpg
     
  9. The next option is especially important. If this were a new installation, we would only need to create new private key. But since it’s a migration process, we already have a backup of the private key. So, select the options as highlighted in screenshot. Then click on Next to continue
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_025.jpg
     
  10. In next window click on Import.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_026.jpg
     
  11. Next you are given the option to select the key we backed up during the backup process from the Windows 2003 server. Browse and select the key from the backup we made, provide the password we used for protection and then click OK.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_027.jpg
     
  12. With the key successfully imported, in next window select the imported certificate and click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_028.jpg
     
  13. In the next window, we can define certificate database path. In here I will leave it default and click next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_029.jpg
     
  14. The next window it will provide the configuration confirmation. Review and click on Configure to proceed with the process.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_030.jpg
     
  15. Once completed, click on Close to exit from the configuration wizard.
     

Step 6: Restore CA Backup
 

Now it’s comes to the most important part of the process which is to restore the CA backup made from Windows Server 2003.
 

  1. Go To Server Manager > Tools > Certification Authority
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_031.jpg
     
  2. Next right click on server node > All Tasks > Restore CA
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_032.jpg
     
  3. Then it will ask if it’s okay to stop the certificate service to proceed. Click OK.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_033.jpg
     
  4. This will open the Certification Authority Restore Wizard.  Click next to continue.
     
  5. In the next window, browse the folder where we stored the backup and select it. Then select the options as highlighted in the screenshot below. Click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_034.jpg
     
  6. The next window gives an option to enter the password we used to protect private key during the backup process. Once it is entered, click Next to continue.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_035.jpg
     
  7. In next window click Finish to complete the import process.
     
  8. Once the import process is completed, the system will ask if it’s okay to start the certificate service again. At this point start the service to bring it back online.
     

Step 7: Restore Registry info
 

During the CA backup process, we also backed up the registry key and it is now time to restore it.
 

  1. Open the folder which contains the backup reg key and double click on the key.
     
  2. Click Yes to proceed with restoring the registry key.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_036.jpg
     
  3. Once completed, details regarding the successful restore will be displayed. 
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_037.jpg
     

Step 8: Reissue Certificate Templates
 

With the migration process now completed, it’s now time to reissue the certificates. I had template setup in Windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
 

  1. Open the Certification Authority Snap-in.
     
  2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_038.jpg
     
  3. From the certificate templates list click on the appropriate certificate template and click OK.
    Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_039.jpg

Step 9: Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup a Windows PC called demo1 and added it to the canitpro.local domain. Once it’s loaded for the first time on the server, open the Certification Authority Snap-in, expand the Issued Certificate section and you can clearly see the new certificate it issued for the PC.
 
Migrating_Active Directory_Certificate_Service_From_Windows_Server_2003_to_2012_R2_040.jpg
 
This confirms the migration is successful and completes the migration process.

 

Below is also an informative video detailing other considerations when migrating from Windows Server 2003.

 

19 Comments
Silver Contributor

There is probably more use of a guide migrating from 2008 (or R2) to newer versions like 2016/2019 as 2008 should be widely in use as it is still in support for a year.

Microsoft

@wroot agreed however you'd be surprised the amount of organizations (financial, government, transportation, education, etc) that are still based on Windows Server 2003 looking to modernize. This post is a repost from our former site, CANITPRO.NET, and is still of great interest to those organizations who can only modernize at a snail's pace due to regulations or other factors.

 

Happy to write about any challenges you are currently facing in future. Just let the team know what topics you'd like to see covered.

Silver Contributor

I'm not surprised. On my previous job we only got rid of a last 2003 VM a year ago. It wasn't very critical though. But when i was leaving there were ~15 2008/R2 VM servers with some critical services running (although inside a LAN). I think many of them will stay on 2008 for at least a few years because of lack of IT staff, knowledge, compatibility issues and lack of budget for new licenses and hosting. And i can't imagine how they are going to move '6 servers heavily modificated SharePoint 2010 farm' anywhere. It's not that these problems are new in IT field. We have dealt with migrations from older systems in the past, but as IT becomes more complicated every day sometimes it just feels unbearable. Well, there should be a clear strategy and good planning to overcome such things. But that's another topic :)

Copper Contributor

Does it matter if the new server has a different name than the old one?

Microsoft

Hi @Jon Bonner.  Different server names can be used.  This is also highlighted in this lab prior to Step 1.

Copper Contributor

Hi @Anthony Bartolo will this guide work also by migrating 2008 R2 to 2019? Thanks... Smiley Happy

Microsoft

Hi @Andrej_Vizvary. Our team is working on steps to migrate from 2008 R2 to 2019.  No ETA on its completion yet but I will share its publish date when it becomes available.

Copper Contributor

Hi @Anthony Bartolo 

 

I am looking to migrate from 2008 R2 to 2019 in the next few weeks - do you have an ETA on the steps needed?

 

Also, do you have any information on additional steps (if any) you have to do should you have an offline root CA along with the enterprise subordinate one(s)?

 

Finally, I am trying to get it clear in my head how I ensure the old issues certificate remain valid when the CRL expires or is the answer you need to reissue them all prior to the CRL expiring?

 

Thanks for your help

Edd

Copper Contributor

@Anthony Bartolo , @EddPr I agree, 2008 R2 to 2019 with Offline root CA and Online Issuing CA (subordinate) and I have a separate web IIS for CRL usage.  Is this available yet?  Almost a month since you mentioned you were working on it.  Hoping it is done and you can post a link.  

Microsoft

@Chase Roth the requested blog post detailing migration from 2008 R2 to 2016 / 2019 has been created and published. It can be found here: https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-C...

Copper Contributor

@Anthony Bartolothanks, but the requested was Offline Standard Root CA and Online Enterprise Issuing (subordinate) CA.  I was able to complete my task using your other post(s) and piecemealed with a few other blogs to work out enough of the process.  The new article I am sure will help a bunch of others though that have purely Online Enterprise Root CA environments.  Others with the recommended Offline Root CA and Online Subordinate CA are likely still hoping for a full run-down of the process.  Steps were pretty much the same, but having to throw in transferring of signing requests between offline/online CAs, updating the CRLs from Offline Root to Online LDAP and HTTP CDP locations, and in my case I resigned a new request for the Online to have all the new server names in the certificates and AIA/CDP file names/paths.  I can't detail it all out, but I am sure others would appreciate it if you were able to!  Oh and I did not need to reissue certificate templates.  They were still there and active when all was said and done...

 

@EddPrI reissued my Root CA with the same key (not a new one), which I think keeps the peace with the old certificates.  I then used that to reissue my enterprise online CA cert, and then was sure to load all of those updated files to the AIA and CDP locations for LDAP/HTTP.  I did not remove any of the files from my HTTP location so older CRT files are still there for old server names, etc.  Has been done for a few weeks and no issues thus far.  

Copper Contributor

@Anthony Bartolo @Chase Roth I'm with Chase in that I need a guide for an offline root and online subordinate.

Microsoft

@Jon Bonner @Chase Roth Its going to take me some time to put it together.  Stay tuned.

Copper Contributor

@Anthony Bartolo Thank you for putting these guides together for everyone!! I have a question regarding upgrading our 2003 CA. We're an enterprise organization with a LOT of servers and workstations. We have an on-prem Exchange deployment as well as many other MS services that use the CA. Will migrating to a new server cause any issues for the currently leased certificates? Will we have to reissue every certificate the CA has authority over or will the migration be seamless, even though the new server will have a new hostname and all that? What about Exchange and Skype for Business servers? Will they know to use the new CA server automatically or is there manual intervention after the CA migration?

What I'm trying to find out is how much work will be required after the CA has been migrated. What will I need to be careful with and what will I need to do to ensure all of our current services do not go offline with SSL problems?


Thanks again!!

Copper Contributor

Thank you for the great article! 

 

Like, others, I am also in reading about an offline root/online sub.

Copper Contributor

Hi,

 

I know this question was asked several times in different articles but I still I didn't get concrete answer.

 

1- Can we upgrade Windows 2008 R2 Certificate server to Windows 2019 Server (Separate VM) Directly (Not an in-place upgrade) or we have to first upgrade it to Windows 2012 R2 and then from there upgrade to Windows 2019 (Separate VM) ?

 

Kindly share your suggestions and related experiences (If someone did it before)

Copper Contributor

I used this process to go from 2003 to 2016 and the main issue i'm having right now is my Domain controllers are saying:

 

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

We're only really generating machine certificates for IAS authentication and from a member server i was able to request a new cert.

 

But my Domain controllers all have the error and on certutil -verify i get:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)

Any help is appreciated!

Copper Contributor

Hi, images are not displayed, can you fix it?

Microsoft

Thank you @dpupovac for the notification.  I have corrected the issue and all images should be visible now.

Co-Authors
Version history
Last update:
‎Jul 09 2021 08:14 AM
Updated by: