This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Hi There,
Just need some helps on our CA server.
Currently we are running only CA on a 2012 server box. Now we are thinking to in-place upgrade to server 2016. I know we can migrate CA to a new server 2019. But we just want it done in an easy way.
How feasible it is to upgrade CA server from 2012 to 2016? Any potential issues we might have?
Thanks a lot,
ML
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hi @Namless Shelter ,
Hope things are going well on your end.
We are checking in to see if the provided information is helpful. If the reply is helpful, we would greatly appreciate it if you would accept it as answer.
Please let us know if you would like further assistance. Thanks.
Best Regards,
Hannah Xiong
Hi @Namless Shelter ,
I would like to know how things are going on your end. If you have any questions or concerns about the latest information I provided, please don't hesitate to let me know.
It's my pleasure to be of assistance and I look forward to hearing from you.
Best regards,
Hannah Xiong
Hello @Namless Shelter ,
You are welcome. Thank you so much for your kindly reply.
If the status of snapshot is fine, we could restore it from the snapshot and everything will be fine.
If the in-place upgrade failed, we could check the log files for further analysis to find out the cause and solution.
Reference: https://support.microsoft.com/en-us/topic/log-files-that-are-created-when-you-upgrade-to-a-new-version-of-windows-9ec8aa31-0cc1-a0b2-2d98-e9c6714349b9
As mentioned, in-place upgrade is not recommended. It is suggested to do the migration of CA server.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi Hannah,
Thanks so much,
I actually logged another job: https://learn.microsoft.com/en-us/answers/questions/495297/file-server-2012-in-place-upgrade-to-2016.html
Are you able to have a look as well?
Thanks
Hi @Namless Shelter ,
You are welcome. Thanks for your reply.
I have checked the thread and it is related to file server in-place upgrade. Our engineer from file server will have a look at this thread and provide the professional support for you.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 22%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
I don't understand how this is answers the question
Hello @Namless Shelter ,
Thank you so much for posting here.
Based on my experience, it is easy to migrate the CA directly from the server running Windows Server 2012 to the new server 2016. It is suggested that we could choose to migrate the CA to the new server.
As for the in-place upgrade, we have not experienced this operation before. For more information, we could refer to:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742466(v=ws.10)
Besides, a complete server backup of the CA computer is highly recommended before the upgrade or migration. If we choose to do the in-place upgrade, please make such upgrade in test environment firstly.
The similar discussion here: https://social.technet.microsoft.com/Forums/en-US/22443b56-0845-459a-b1cf-339b684f8f90/2008-r2-certificate-authority-in-place-upgrade-to-2012-r2
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
If we do a new server, and migrate CA to it, what would be the step to move Root CA? Will there be any down time?
Thanks
ML
Hello,
Thank you so much for your kindly reply.
To migrate CA to the new server, the basic steps would be as shown below:
• Backing up a CA database and private key
• Backing up CA registry settings
• Backing up CAPolicy.inf
• Removing the CA role service from the source server
• Removing the source server from the domain
• Joining the destination server to the domain
• Adding the CA role service to the destination server
• Restoring the CA database and configuration on the destination server
For more information, please refer to:
Yesh, there will be some down time. It is suggested to do the migration during the off-work time to avoid any issues.
Best regards,
Hannah Xiong
Thanks for the Tips.
If CA server 2012 is damaged during the in place upgrade or offline for more than 2 days, will everything on the network re-connect successfully after we restored it from the snapshot?
Thanks a lot,
ML
Hi Hannah,
Hope you are well. I have decided to go with CA migration (Not in-place Upgrade)
Got Four simple questions:
With the new Server 2019, do we need to have the same name with old windows 2012 server "CS01"? or Any Name will do?
We are running Aruba Clearpass Wifi Radius System, all of our Windows and Mac machines are using this CA for 802.1x authentication, if the old CA server is taken off for that moment, all devices will not be able to authenticate with Wifi?
On AD, the Old CA server will be taken off, and new CA server will be added automatically to "Cert Publisher" group?
Also, if you see this article: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
In the last step mentioned in this link, it mentioned "Right click on Certificate Templates Folder > New > Certificate Template to Reissue", what exactly does this do? What if I ignore it?
Any update please?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 54%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
The new server can have a different name.
Remember to change the hostname in the backup registry file to match the new hostname before importing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 99%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
I upgraded from 2016 to 2022 and could not issue a new cert. Even after restoring a backed up DB.
I reverted to a snapshot to get the CA going again.
I will be doing a fresh build / migration in the future. Thanks for the public support.
Is it better to migrate from 2016 to 2019 or 2022?
@Hannah Xiong
One of the issues I'm finding on my server is that there is no CApolicy.inf file. But I do have a CApolicy.inf.old file.
The server is functioning properly as a CA, currently.
What does the CApolicy file do?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 50%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWT%3C/text%3E%3C/svg%3E)
when you said the ca is functioning properly now, are you referring to your 2022 server or after reverting back to 2012. Im wondering if I should also perform an in place upgrade and do I go from 2012 to 2022 or to 2019.
in my 20 years of PKIing the CApolicy.inf does nothing, it just ads to the complexity of things, you are supposed to put some legal wording in there that nobody ever does