AD CS Migration: Post-Migration Tasks

Applies To: Windows Server 2008 R2, Windows Server 2012

Post-migration steps can be performed after migration has been completed and the operation of the destination CA has been verified.

If verification steps have failed, review the Troubleshooting section in this topic.

  • Upgrading certificate templates in Active Directory Domain Services (AD DS)

  • Retrieving certificates after a host name change

  • Restoring Active Directory Certificate Services (AD CS) to the source server in the event of migration failure

  • Troubleshooting migration

Upgrading certificate templates in Active Directory Domain Services (AD DS)

Review the post-migration steps below and perform only those that are appropriate for your environment and migration scenario.

The following additional default certificate templates are included in enterprise certification authorities (CAs) running on Windows Server 2012, Windows Server 2008 R2 and Windows Server 2008 but are not included in Windows Server 2003:

  • OCSP Response Signing

  • Kerberos Authentication

These certificate templates are not required for CA operation. OCSP Response Signing certificates are required if you are deploying the Online Responder role service.

If you require these additional certificate templates, complete the following procedure.

To upgrade certificate templates in AD DS by using the Certificate Templates snap-in

  1. Log on to the destination server as a member of the Enterprise Admins group.

  2. Open the Certificate Templates snap-in. The snap-in automatically adds the default certificate templates to AD DS.

Retrieving certificates after a host name change

If the destination server name is different from the source server name, you might need to manually retrieve any certificates that were issued by the source CA and had not been retrieved before migration.

Complete this procedure on the computer that was used to submit the certificate request to the source CA.

To retrieve a certificate by using Certreq.exe

  1. Open a Command Prompt window.

  2. Type certreq –retrieve -config "<DestinationServerName\CAName>" <RequestID> <CertificateResponseOutput> and press ENTER.

  3. Type certreq –accept <CertificateResponseOutput> and press ENTER.

Option Description Example

-config

The –config option is followed by a string specifying a host name and CA name in the format HostName\CAName.

Certreq.exe –submit –config Server1\CA1 C:\RequestFile.txt C:\ResponseFile.cer

DestinationServerName

The host name of the destination server.

CAName

The CA name being migrated.

CertificateRequestInput

The path and name of the file containing the certificate request that was created by using the procedure "Create a Custom Certificate Request."

CertificateResponseOutput

The path and name of the file receiving the issued certificate from the CA. If the certificate request is pending, the file contains a message from the CA indicating the status of the request and the request ID. The request ID is used to retrieve the certificate after it is issued by a certificate manager or CA administrator.

RequestID

The Request ID value returned by a CA in response to a certificate request. The Request ID value is displayed in command output and written to the CertificateResponseOutput file.

Restoring Active Directory Certificate Services (AD CS) to the source server in the event of migration failure

If you removed the CA role service from the source server as described in the procedure Removing the CA role service from the source server, you can restore the source CA by reinstalling the CA role service on the source server. It is important to remove the CA role service from the destination server before reinstalling the CA role service on the source server.

If you did not remove the CA role service from the source server, you should not remove the CA role service from the destination server. Simply shut down the destination CA and start the source CA.

Rollback procedures can be completed in less than one hour.

To remove the CA role service from the destination server, use the Remove Roles Wizard in Server Manager.

To add the CA role service to a source server running Windows Server 2003, use the Add/Remove Windows Components wizard.

To add the CA role service to a source server running Windows Server 2008 or Windows Server 2008 R2, use the Add Roles Wizard in Server Manager.

Troubleshooting migration

If you encounter errors during verification procedures, use Event Viewer to review the Application log on the destination CA. View an Error event in the preview pane or event properties, and click Event Log Online Help to open a Web page with troubleshooting procedures for that event.

For the full collection of documented AD CS events, see AD CS Events and Errors.

See also