Updated: October 17, 2013
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
Post-migration steps can be performed after migration has been completed and the operation of the destination CA has been verified.
If verification steps have failed, review the Troubleshooting section in this topic.
Review the post-migration steps below and perform only those that are appropriate for your environment and migration scenario.
The following additional default certificate templates are included in enterprise certification authorities (CAs) running on Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 and Windows Server 2008 but are not included in Windows Server 2003:
OCSP Response Signing
These certificate templates are not required for CA operation. OCSP Response Signing certificates are required if you are deploying the Online Responder role service.
If you require these additional certificate templates, complete the following procedure.
To upgrade certificate templates in AD DS by using the Certificate Templates snap-in
Log on to the destination server as a member of the Enterprise Admins group.
Open the Certificate Templates snap-in. The snap-in automatically adds the default certificate templates to AD DS.
If the destination server name is different from the source server name, you might need to manually retrieve any certificates that were issued by the source CA and had not been retrieved before migration.
Complete this procedure on the computer that was used to submit the certificate request to the source CA.
To retrieve a certificate by using Certreq.exe
Open a Command Prompt window.
Type certreq –retrieve -config "<DestinationServerName\CAName>" <RequestID> <CertificateResponseOutput> and press ENTER.
Type certreq –accept <CertificateResponseOutput> and press ENTER.
The –config option is followed by a string specifying a host name and CA name in the format HostName\CAName.
Certreq.exe –submit –config Server1\CA1 C:\RequestFile.txt C:\ResponseFile.cer
The host name of the destination server.
The CA name being migrated.
The path and name of the file containing the certificate request that was created by using the procedure "Create a Custom Certificate Request."
The path and name of the file receiving the issued certificate from the CA. If the certificate request is pending, the file contains a message from the CA indicating the status of the request and the request ID. The request ID is used to retrieve the certificate after it is issued by a certificate manager or CA administrator.
The Request ID value returned by a CA in response to a certificate request. The Request ID value is displayed in command output and written to the CertificateResponseOutput file.
If you removed the CA role service from the source server as described in the procedure Removing the CA role service from the source server, you can restore the source CA by reinstalling the CA role service on the source server. It is important to remove the CA role service from the destination server before reinstalling the CA role service on the source server.
If you did not remove the CA role service from the source server, you should not remove the CA role service from the destination server. Simply shut down the destination CA and start the source CA.
Rollback procedures can be completed in less than one hour.
To remove the CA role service from the destination server, use the Remove Roles Wizard in Server Manager.
To add the CA role service to a source server running Windows Server 2003, use the Add/Remove Windows Components wizard.
To add the CA role service to a source server running Windows Server 2008 or later, use the Add Roles Wizard in Server Manager.
If you encounter errors during verification procedures, use Event Viewer to review the Application log on the destination CA. View an Error event in the preview pane or event properties, and click Event Log Online Help to open a Web page with troubleshooting procedures for that event.
For the full collection of documented AD CS events, see AD CS Events and Errors.