question

Chong-7118 avatar image
0 Votes"
Chong-7118 asked DaisyZhou-MSFT commented

Migration on 3-tier CA servers

Hi Support,

We have 3-tier CA servers (total 4 CA server) need to migrate OS from 2008/2012 to 2019. To migrate the CA, we need to backup the CA DB, uninstall old server, install new server and restore the CA DB.
The question is can we migrate the CA server one by one? If yes, any sequence of root and subordinate CA?
Or we should migrate all CA servers at the same time?

Thanks
Chong

windows-server
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Chong-7118,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hi @DaisyZhou-MSFT,

Thanks for your information and it is useful for me.

Chong

0 Votes 0 ·

Hello @Chong-7118,

Thank you for your update and marking my reply as answer. I am very glad that the information is helpful.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Chong-7118,

Thank you for posting here.

Here are the answers for your reference.

The question is can we migrate the CA server one by one?
A: Yes, we can migrate the CA server one by one.

If yes, any sequence of root and subordinate CA? Or we should migrate all CA servers at the same time?
A: Usually, the sequence of CA migration is like the sequence of CA setting up, I mean we can migrate root CA first, then Intermediate CA (Policy CA) and Issuing CA at last.


Considerations for migrating a CA to a new machine:

1.When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

2.By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

3.During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.

4.We can migrate CA directly from server 2008R2 to 2016 /2019. However, if you attempt to migrate 2008 CA (non R2) to 2016/2019, you may need to migrate CA to server 2012 R2 first, then to 2016/2019.

For more information, please read the link below.
Migrating AD Certificate Services from Windows Server 2008 to Windows Server 2016
https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx

5.Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and perform migration operations in the test environment, and then record all these steps in a document, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.

For more information about CA migration, we can refer to links below.
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

AD CS Migration: Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

Performing the Upgrade or Migration
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.