question

NamlessShelter-6097 avatar image
0 Votes"
NamlessShelter-6097 asked NamlessShelter-6097 commented

CA server in-place upgrade from server to server 2019.

Hi There,

Just need some helps on our CA server.

Currently we are running only CA on a 2012 server box. Now we are thinking to in-place upgrade to server 2016. I know we can migrate CA to a new server 2019. But we just want it done in an easy way.

How feasible it is to upgrade CA server from 2012 to 2016? Any potential issues we might have?

Thanks a lot,
ML

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @NamlessShelter-6097,

Hope things are going well on your end.

We are checking in to see if the provided information is helpful. If the reply is helpful, we would greatly appreciate it if you would accept it as answer.

Please let us know if you would like further assistance. Thanks.

Best Regards,
Hannah Xiong

0 Votes 0 ·

Hi @NamlessShelter-6097,

I would like to know how things are going on your end. If you have any questions or concerns about the latest information I provided, please don't hesitate to let me know.

It's my pleasure to be of assistance and I look forward to hearing from you.

Best regards,
Hannah Xiong

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Hello @NamlessShelter-6097,

You are welcome. Thank you so much for your kindly reply.

If the status of snapshot is fine, we could restore it from the snapshot and everything will be fine.

If the in-place upgrade failed, we could check the log files for further analysis to find out the cause and solution.
Reference: https://support.microsoft.com/en-us/topic/log-files-that-are-created-when-you-upgrade-to-a-new-version-of-windows-9ec8aa31-0cc1-a0b2-2d98-e9c6714349b9

As mentioned, in-place upgrade is not recommended. It is suggested to do the migration of CA server.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Hannah,

Thanks so much,

I actually logged another job: https://docs.microsoft.com/en-us/answers/questions/495297/file-server-2012-in-place-upgrade-to-2016.html

Are you able to have a look as well?

Thanks

0 Votes 0 ·
HannahXiong-MSFT avatar image HannahXiong-MSFT NamlessShelter-6097 ·

Hi @NamlessShelter-6097,

You are welcome. Thanks for your reply.

I have checked the thread and it is related to file server in-place upgrade. Our engineer from file server will have a look at this thread and provide the professional support for you.

Thank you so much for your understanding and support.

Best regards,
Hannah Xiong

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered NamlessShelter-6097 commented

Hello @NamlessShelter-6097,

Thank you so much for posting here.

Based on my experience, it is easy to migrate the CA directly from the server running Windows Server 2012 to the new server 2016. It is suggested that we could choose to migrate the CA to the new server.

As for the in-place upgrade, we have not experienced this operation before. For more information, we could refer to:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742466(v=ws.10)

Besides, a complete server backup of the CA computer is highly recommended before the upgrade or migration. If we choose to do the in-place upgrade, please make such upgrade in test environment firstly.

The similar discussion here: https://social.technet.microsoft.com/Forums/en-US/22443b56-0845-459a-b1cf-339b684f8f90/2008-r2-certificate-authority-in-place-upgrade-to-2012-r2

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If we do a new server, and migrate CA to it, what would be the step to move Root CA? Will there be any down time?

Thanks
ML

0 Votes 0 ·
HannahXiong-MSFT avatar image HannahXiong-MSFT NamlessShelter-6097 ·

Hello,

Thank you so much for your kindly reply.

To migrate CA to the new server, the basic steps would be as shown below:

     • Backing up a CA database and private key
 • Backing up CA registry settings
 • Backing up CAPolicy.inf
 • Removing the CA role service from the source server
 • Removing the source server from the domain
 • Joining the destination server to the domain
 • Adding the CA role service to the destination server
 • Restoring the CA database and configuration on the destination server

For more information, please refer to:

https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v%3dws.11)

Yesh, there will be some down time. It is suggested to do the migration during the off-work time to avoid any issues.

Best regards,
Hannah Xiong

0 Votes 0 ·

Thanks for the Tips.

If CA server 2012 is damaged during the in place upgrade or offline for more than 2 days, will everything on the network re-connect successfully after we restored it from the snapshot?

Thanks a lot,
ML

0 Votes 0 ·

Hi Hannah,

Hope you are well. I have decided to go with CA migration (Not in-place Upgrade)

Got Four simple questions:

With the new Server 2019, do we need to have the same name with old windows 2012 server "CS01"? or Any Name will do?

We are running Aruba Clearpass Wifi Radius System, all of our Windows and Mac machines are using this CA for 802.1x authentication, if the old CA server is taken off for that moment, all devices will not be able to authenticate with Wifi?

On AD, the Old CA server will be taken off, and new CA server will be added automatically to "Cert Publisher" group?

Also, if you see this article: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

In the last step mentioned in this link, it mentioned "Right click on Certificate Templates Folder > New > Certificate Template to Reissue", what exactly does this do? What if I ignore it?

0 Votes 0 ·

Any update please?

0 Votes 0 ·