Active Directory Certificate Services Migration Guide

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

About this guide

This document provides guidance for migrating a certification authority (CA) to a server that is running Windows Server® 2008 R2 from a server that is running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008. You can also migrate a CA from a server running Windows Server 2008 or Windows Server 2008 R2 to a server that is running Windows Server® 2012 using these directions.

Target audience

  • Administrators or IT operations engineers responsible for planning and performing CA migration to Windows Server 2008 R2 or Windows Server 2012.

  • Administrators or IT operations engineers responsible for the day-to-day management and troubleshooting of networks, servers, client computers, operating systems, or applications.

  • IT operations managers accountable for network and server management.

  • IT architects responsible for computer management and security throughout an organization.

Supported migration scenarios

This guide provides you with instructions for migrating an existing server that is running Active Directory® Certificate Services (AD CS) to a server that is running Windows Server 2008 R2 or Windows Server 2012. This guide does not contain instructions for migration when the source server is running multiple roles. If your server is running multiple roles, you should design a custom migration procedure that is specific to your server environment, based on the information provided in other role migration guides. To view migration guides for additional roles, see Migrate Server Roles to Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkID=128554).

Note

This guide can be used to migrate a CA from a source server that is also a domain controller to a destination server with a different name. However, migration of a domain controller is not covered by this guide. For information about Active Directory Domain Services (AD DS) migration, see Active Directory Domain Services and DNS Server Migration Guide (https://go.microsoft.com/fwlink/?LinkId=179357).

Supported operating systems

This guide supports migrations from source servers running the operating system versions and service packs listed in the following table. All migrations described in this document assume that the destination server is running Windows Server 2008 R2 or Windows Server 2012 as specified in the following table.

Source server processor Source server operating system Destination server operating system Destination server processor

x86-based or x64-based

Windows Server 2003 with Service Pack 2

Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, or Server with a GUI only (not Server Core or Minimal Server Interface)

x64-based

x86-based or x64-based

Windows Server 2003 R2

Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, Server with a GUI only (not Server Core or Minimal Server Interface)

x64-based

x86-based or x64-based

Windows Server 2008

Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, Server with a GUI only (not Server Core or Minimal Server Interface)

x64-based

x64-based

Windows Server 2008 R2

Windows Server 2008 R2, both full and Server Core installation options or Windows Server 2012, Server with a GUI only (not Server Core or Minimal Server Interface)

x64-based

Note

In-place upgrades from Windows Server 2003 with Service Pack 2 or Windows Server 2003 R2 to Windows Server 2012 are not supported.

What this guide does not provide

  • Procedures to upgrade to Windows Server 2008 R2 or Windows Server 2012

  • Procedures to migrate additional server roles

  • Procedures to migrate additional AD CS role services

In general, migration is not required for the following AD CS role services. Instead, you can install and configure these role services on computers running Windows Server 2008 R2 or Windows Server 2012 by completing the role service installation procedures. For information about the impact of CA migration on other AD CS role services, see Impact of migration on other computers in the enterprise.

CA migration overview

Certification authority (CA) migration involves several procedures, which are overviewed in the sections.

Warning

During the migration procedure, you are asked to turn off your existing CA (either the computer or at least the CA service). You are asked to name the destination CA with the same name that you used for the original CA. The computer name, (hostname or NetBIOS name), does not have to match that of the original CA. However, the destination CA name must match that of the source CA. Further, the destination CA name must not be identical to the destination computer name.

Note

It is possible to install a new PKI hierarchy while still leveraging an existing PKI hierarchy. However, doing so requires designing a new PKI, and is not covered in this guide. For an informal overview of how a dual PKI could work for an organization, see the following Ask DS blog post: Moving Your Organization from a Single Microsoft CA to a Microsoft Recommended PKI.

Preparing to migrate

Migrating the certification authority

Verifying the migration

Post-migration tasks

Impact of migration

Impact of migration on the source server

The CA migration procedures described in this guide include decommissioning the source server after migration is completed and CA functionality on the destination server has been verified. If the source server is not decommissioned, then the source server and destination server must have different names. Additional steps are required to update the CA configuration on the destination server if the name of the destination server is different from the name of the source server.

Impact of migration on other computers in the enterprise

During migration, the CA cannot issue certificates or publish CRLs.

To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration.

Because the authority identification access and CRL distribution point extensions of previously issued certificates may reference the name of the source CA, it is important to either continue to publish CA certificates and CRLs to the same location or provide a redirection solution. For an example of configuring IIS redirection, see Redirecting Web Sites in IIS 6.0.

Permissions required to complete the migration

To install an enterprise CA or a standalone CA on a domain member computer, you must be a member of the Enterprise Admins group or Domain Admins group in the domain. To install a standalone CA on a server that is not a domain member, you must be a member of the local Administrators group. Removal of the CA role service from the source server has the same group membership requirements as installation.

Estimated duration

The simplest CA migration can typically be completed within one to two hours. The actual duration of CA migration depends on the number of CAs and the sizes of CA databases.

See also