2

I have Active Directory Certificate Services installed on a Windows 2016 domain controller. We plan on spinning up Windows 2019 instances to replace our 2016 domain controllers. We have one DC with ADCS services installed, specifically it has the certificate authority role and is set as an Enterprise CA (not stand-alone).

What is the best process for migrating the AD CS services to this new 2019 server and decommissioning the 2016 server hosting AD CS? According to this article it seems like a simple backup, add ADCS role/features and restore somr data but maybe I'm oversimplifying things - https://4sysops.com/archives/migrate-ad-certificate-services-to-a-new-server/.

My concern is what happens to the certificates we've already signed with the existing CA server and that are actively in use? Will they continue to function and/or stay valid if the CA is down, albeit temporarily? The name assigned to the CA is separate from the host name of the server currently hosting AD CS so the 2019 server having a different host name assigned shouldn't be an issue, correct?

If anybody has gone through this before or has some useful suggestions/tips I would greatly appreciate it!

Improve this question
3
  • 2
    what happens to the certificates we've already signed with the existing CA server and that are actively in use? Will they continue to function and/or stay valid if the CA is down, albeit temporarily? If the CRL is unavailable, and an application is configured to require CRL validation, there could be impact. Commented Feb 3, 2022 at 21:38
  • 2
    For ADCS migration, I would not use any 3rd-party guides. I would recommend to use only Microsoft official migration guide which covers all potential pitfalls: docs.microsoft.com/en-us/previous-versions/windows/it-pro/… Commented Feb 4, 2022 at 7:42
  • This was most helpful (specific to migrating to a host with a new name), although it is unclear at the end (an unnecessary step with the template re-issue), and probably a missing edit in the exported .reg file w.r.t. "WebClientCAMachine". -->> techcommunity.microsoft.com/t5/itops-talk-blog/… Commented Mar 27, 2024 at 5:37

1 Answer 1

Reset to default
2 
> the 2019 server having a different host name assigned shouldn't be an issue, correct?

Unfortunately it's not correct at all.
Moving a Certification Authority to a new server with the same name is a quite straightforward process, but it gets a lot more difficult if the new server has a different name.

Also, hosting a Certification Authority on a Domain Controller is definitely not recommended, last but not least because you can't promote, demote or rename a server which is hosting a CA; you really should take this opportunity to separate the two roles on two different servers.

How to do this the proper way:

  • Install a new server with a new name and join it to the domain.
  • Promote the new server to Domain Controller; make sure to install DNS and to make it a Global Catalog.
  • Perform a CA backup of your Certification Authority, including the root certificate.
  • Remove AD CS from the old server.
  • Move all FSMO roles to the new server.
  • Configure both servers and all domain member computers to use the new server as their primary DNS (or swap the two servers' IP addresses).
  • Demote the old server.
  • Remove the old server form the domain (or, if you need to keep it around for a while, rename it in order to free up its name).
  • Install an additional new server with the same name as the old one; join it to the domain.
  • Install AD CS on the new server using the existing root certificate and the same CA settings.
  • Restore the CA backup on the new server.

Of course, there are several additional details; but this is the full outline of the process.

Oh, and don't forget to add another Domain Controller. You really should not have only one of them.

Re-reading your question, it's not really clear how many Domain Controllers you have; if you already have more than one of them, this will make things a bit easier. But you'll still have to recycle the server name, and you can't demote or rename a server as long as it's hosting a CA; thus:

  • Perform CA backup
  • Remove AD CS
  • Demote server
  • Remove (or rename) server
  • Add new server with same name
  • Install AD CS
  • Restore CA backup
Improve this answer
6
  • 1
    I appreciate the thorough response on this! We currently have two domain controllers, only one is running certificate services. Commented Feb 4, 2022 at 19:19
  • Can't you just add a CNAME in DNS of the old server name pointing to the new server name? At least until the current certificate's all expire and get new CDP and AIA URIs. Commented Sep 4, 2022 at 17:21
  • @Brain2000 that would not work for quite a lot of reasons. A Windows Server Certification Authority is very strongly linked to the server hostname. Commented Sep 4, 2022 at 21:47
  • @Massimo but you haven't explained the circumstances as to when and why. Anything is doable if you know the caveats. Commented Sep 6, 2022 at 3:57
  • This article from microsoft indicates that you can use both the old and new name on the new server: learn.microsoft.com/en-us/troubleshoot/windows-server/… Commented Mar 18, 2024 at 20:29

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.