Active Directory Certificate Services Migration Guide

• Administrators or IT operations engineers responsible for planning and performing CA migration to Windows Server 2008 R2.
  
  
• Administrators or IT operations engineers responsible for the day-to-day management and troubleshooting of networks, servers, client computers, operating systems, or applications.
  
  
• IT operations managers accountable for network and server management.
  
  
• IT architects responsible for computer management and security throughout an organization.
  
  

This guide supports migrations from source servers running the operating system versions and service packs listed in the following table. All migrations described in this document assume that the destination server is running Windows Server 2008 R2 (either the full or Server Core installation option) on x64-based hardware.

• Preparing your destination server
  
  
• Backing up your source server
  
  
• Preparing your source server
  
  

• Backing up a CA database and private key
  
  
• Backing up CA registry settings
  
  
• Backing up CAPolicy.inf
  
  
• Removing the CA role service from the source server
  
  
• Removing the source server from the domain
  
  
• Joining the destination server to the domain
  
  
• Adding the CA role service to the destination server
  
  
• Restoring the CA database and configuration on the destination server
  
  
• Granting permissions on AIA and CDP containers
  
  
• Additional procedures for failover clustering (optional)
  
  

• Verifying certificate enrollment
  
  
• Verifying CRL publishing
  
  

• Upgrading certificate templates in Active Directory Domain Services (AD DS)
  
  
• Retrieving certificates after a host name change
  
  
• Restoring Active Directory Certificate Services (AD CS) to the source server in the event of migration failure
  
  
• Troubleshooting migration
  
  

The CA migration procedures described in this guide include decommissioning the source server after migration is completed and CA functionality on the destination server has been verified. If the source server is not decommissioned, then the source server and destination server must have different names. Additional steps are required to update the CA configuration on the destination server if the name of the destination server is different from the name of the source server.

During migration, the CA cannot issue certificates or publish CRLs.

To ensure that revocation status checking can be performed by domain members during CA migration, it is important to publish a CRL that is valid beyond the planned duration of the migration.

Because the authority identification access and CRL distribution point extensions of previously issued certificates may reference the name of the source CA, it is important to either continue to publish CA certificates and CRLs to the same location or provide a redirection solution. For an example of configuring IIS redirection, see Redirecting Web Sites in IIS 6.0 (http://go.microsoft.com/fwlink/?LinkID=179366).