question

Chong-7118 avatar image
0 Votes"
Chong-7118 asked DaisyZhou-MSFT commented

Migrate CA server 2008 to 2019 without uninstall existing CA services

Hi Support,

We need to migrate 2-tier enterprise CA server OS from 2008 to 2019 in our AD. After some research, all of the migration method is:
1. Backup the existing CA DB and registry
2. Uninstall existing CA services
3. Restore CA DB and registry to new server

However, we only can shutdown the existing CA but cannot remove the CA from the AD (for failback if the new CA server not work).
If we need to keep the same CA server name (not hostname), how can we migrate the CA to new server? Do we still can use backup and restore to migrate CA services?
1. Backup the existing CA DB and registry
2. Shutdown the existing CA server
3. Restore CA DB and registry to a new server

Thanks
Chong

windows-server
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Chong-7118,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @Chong-7118,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Chong-7118,

Thank you for posting here.

From the link below, we can see why we should uninstall AD CS from source CA before we install AD CS on destination CA:

Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Warning
Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.

For more information, we can read the link below.
Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)


Other considerations for migrating a CA to a new machine:

1.When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

2.By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

3.During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.

4.We can migrate CA directly from server 2008R2 to 2016 /2019. However, if you attempt to migrate 2008 CA (non R2) to 2016/2019, you may need to migrate CA to server 2012 R2 first, then to 2016/2019.

For more information, please read the links below.
Migrating AD Certificate Services from Windows Server 2008 to Windows Server 2016
https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx

https://www.petenetlive.com/KB/Article/0001473

https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo

5.Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and perform migration operations in the test environment, and then record all these steps in a document, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.


For more information about CA migration, we can refer to links below.
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

AD CS Migration: Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

Performing the Upgrade or Migration
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chong-7118 avatar image
0 Votes"
Chong-7118 answered Chong-7118 commented

Hi @DaisyZhou-MSFT,

Thanks for the information.
But the link you provide seems is remove already.

Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)

And I just tried to not remove the CA role in old subordinate server and shutdown it (didn't disable CA services). Then restore the CA to new server, it request a cert from root CA. But the root CA failed to issue the cert. Do this relate to didn't disable CA services?

102937-subordinate.jpg


Best Regards
Chong



subordinate.jpg (35.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Chong-7118,

Thank you for your update.

All the information I provided is the suggestion from Microsoft.

I did not migrate CA without remove the CA role in old server, and you can see the impact.

After you restore the CA to new server, it should not request a cert from root CA.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hi @DaisyZhou-MSFT ,

Seems we should remove the CA role in old server.

You said: "After you restore the CA to new server, it should not request a cert from root CA."
Why cannot request a cert from root CA? This is subordinate CA and it should renew the cert from root CA when the cert expire (may be not renew now, but it should renew in the future).

And if I enable the auto key archive in the old CA server, after restore to new server, do we need to take any action on new server? All setting/KRA will applied in new server also?

Thanks
Chong

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Chong-7118,

I am so glad to receive your reply.

Here are the answers for your references.

Q: You said: "After you restore the CA to new server, it should not request a cert from root CA."
Why cannot request a cert from root CA? This is subordinate CA and it should renew the cert from root CA when the cert expire (may be not renew now, but it should renew in the future).
A: What I mean the usual CA migration does not include requesting a cert from root CA, but if you need, you can request a cert from root CA.

Q: And if I enable the auto key archive in the old CA server, after restore to new server, do we need to take any action on new server? All setting/KRA will applied in new server also?
A: Based on my understanding, all setting/KRA will applied in new server also.

AD CS key archival can be performed either manually or automatically. Manual key archival requires users to export private keys and send them to a CA Administrator who imports them to the protected CA database. Automatic key archival is performed during the certificate enrollment process when a certificate template is configured to require key archival. During the certificate enrollment process, the private key is securely sent to the CA as part of the certificate request and is archived by the CA.

References.
Configure Automatic Key Archiving in Certificate services| key recovery agent
https://w7cloud.com/configure-automatic-key-archiving-in-certificate-services-key-recovery-agent/

Active Directory Certificate Services: PKI - Key Archival and Management
https://social.technet.microsoft.com/wiki/contents/articles/7573.active-directory-certificate-services-pki-key-archival-and-management.aspx


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chong-7118 avatar image
0 Votes"
Chong-7118 answered Chong-7118 edited

Hi @DaisyZhou-MSFT ,

Thanks for your information.

Back for the original question, if we need to remove CA role in old server before install a new CA server, then any failback plan for the CA migration?


Best Regards
Chong

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Chong-7118,

I am so glad to receive your reply.

As mentioned in my first answer.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hi @DaisyZhou-MSFT ,

Thanks for the info and understand the case, but that is our management concern. They afraid the old CA server didn't work after reinstall the CA role again. That's why they asking any workaround that no need to remove the CA services in old server.

BTW, if the CA is a active/passive cluster, We need to remove CA services on both node at the same time? or can do it one by one?



Best Regards
Chong

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @Chong-7118,

Thank you for your reply.

Q: BTW, if the CA is a active/passive cluster, We need to remove CA services on both node at the same time? or can do it one by one?
A: I am sorry, I do not know cluster. Do you mean you have two CA servers and install AD CS on both servers? But you migrate one CA server to another new server?

If so, if you have two CA servers:

CA server1: CA name1
CA server2: CA name2

If you migrate CA server1, you can remove CA service on CA server1.
Or if you migrate CA server2, you can remove CA service on CA server2.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DaisyZhou-MSFT ,

We have 2 CA servers (CA1 and CA2) running in cluster, so if CA1 down, the CA services will failover to CA2. I understand you may not know cluster services. it is OK and thanks for the info.

BTW, can we merge 2 CA servers into 1 server?
(Old CA server CA1 and CA2, the new CA name will be CA1, and the DB contain CA1 and CA2 information


Best Regards
Chong

0 Votes 0 ·

Hello @Chong-7118,

Thank you for your reply.

Q: BTW, can we merge 2 CA servers into 1 server?
(Old CA server CA1 and CA2, the new CA name will be CA1, and the DB contain CA1 and CA2 information
A: Based on my knowledge, we cannot merge 2 CA servers into 1 server.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·