Share via

How to move or migrade Certification Authority from DC 2019 to other DC 2019

MPEG 336 Reputation points
2020-07-29T15:14:35.72+00:00

Hi,

I have two DCs with WK 2019 server and want to move or migrate to the other DC with WK 2019 server.
Both DCs are with WK 2019 server.

regards

Nick

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
0 comments
Accepted answer
  1. MPEG 336 Reputation points
    2020-08-04T19:18:42.493+00:00

    I think your all solution were wrong. I have only renamed the new DC with WK2019 like my WK 2008 R2 and restore again CA and here we go, the issue was away

    0 comments

8 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MPEG 336 Reputation points
    2020-07-29T21:01:59.077+00:00

    It is for WK2008R2 to WK 2019. Is that the same steps?

    0 comments
  2. MPEG 336 Reputation points
    2020-07-29T21:17:47.41+00:00

    Again me. My issue is that I have moved that first from WK 2008R2 to WK2019 DC. Now exchange server displays that the certifcate is failed because it is created with WK2008R2 DC. My old DC with WK2008R2 were called "srv" and the exchange certificate is pointed to "srv". I am not sure, do I need to create new certificate for exchange or can I move back my Certification Authority the new DC with WK 2019? Because my new WK2019 DC is called "srv".

    0 comments
  3. Daisy Zhou 19,276 Reputation points Microsoft Vendor
    2020-07-30T05:13:19.207+00:00

    Hello MPEG,

    Thank you for posting here.

    1. When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
    2. By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths.
    3. We can check the CA health by opening PKIview.msc, ther all the Status is OK, that meams the CA is healthy.

    Please confirm:

    1. So you have a 2008R2 DC named "SRV" and a new 2019 DC named "SRV", is that right? If so, the 2008 R2 DC named SRV should be removed from the domain, because we can not put two machines with the same name in the same domain.
    2. Based on "Now exchange server displays that the certifcate is failed", what is failed? Is certificate revocation checking failed?
    3. Based on "the exchange certificate is pointed to "srv"", do we mean the exchange certificate is issued by srv?
    4. What is your CA name?

    Best Regards,
    Daisy Zhou

    0 comments
  4. MPEG 336 Reputation points
    2020-07-30T09:31:36.69+00:00

    Hi,

    I dont have Dc with 2008R2 any more, it is demoted and the DC is called "SRV1". Before I demoted the WK 2008R2, I have migrated my Ca to the new DC with WK 2019 server successfully.

    If I go to run https://mydcname/certsrv, I cannot access to the new CA.

    Regards

    0 comments