Configure Active Directory Certificate Services Again

Equally businesses look at phasing out legacy Windows Server versions, cadre services may demand to exist moved or migrated to new Windows Server versions. One service yous may demand to motility is Active Directory Document Services (Ad CS). Permit's see how to migrate Advertising CS from Windows Server 2008 R2 to 2019.

• Author
• Contempo Posts

Brandon Lee has been in the Information technology industry xv+ years and focuses on networking and virtualization. He contributes to the community through various web log posts and technical documentation primarily at Virtualizationhowto.com.

The migration of AD CS to a new server involves the following tasks:

1. Back up the current AD CS server CA database and configuration.
2. Back up the electric current AD CS server registry cardinal.
3. Remove the Advertisement CS part from the current Windows Server.
4. Install the AD CS role on your new Windows Server.
5. Restore the backup configuration and registry cardinal on the new Advert CS server.

To follow the steps below, you need to be running Windows Server 2008 R2 or higher. If you are on Windows Server 2008, you will need to upgrade to Windows Server 2012 before proceeding.

Windows Server 2008 R2 Advertizement CS server

1. Back up the current AD CS database and configuration ^

The process to back up your current Ad CS server CA database and configuration is straightforward. Information technology tin be accomplished using the Advertisement CS management console or the certutil command-line utility in Windows Server 2008 R2.. In the console, under Administrative Tools > Certification Authorization, correct-click the server name and select All Tasks > Back up CA.

Start the backup process for Ad CS in Windows Server 2008 R2

Select this choice to start the Certification Authority Backup Wizard. Click Side by side.

The AD CS backup wizard begins

On the side by side screen, select the items to back upward. Select the Private key and CA document and the Certificate database and certificate database log options. Finally, enter a path in the Support to this location box.

Select the items to back up and the backup location

You lot will see a dialog box asking to create the directory. Click OK.

Enter the password for the Advertisement CS backup

Enter a countersign to secure the private key and the CA certificate file.

Enter the password for the Advertising CS backup

The AD CS backup wizard is completed successfully.

Cease the backup of Advertizing CS

Using the certutil command, yous tin can perform the same operation with the following:

certutil -backup c:\<path to fill-in>`        

You will be asked to enter and confirm the password for the Advertisement CS backup.

Back up Advert CS using the certutil control

2. Back up the AD CS server registry cardinal ^

The side by side stride is to support the CertSvc key located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc

Why is this necessary if we accept backed up the individual key and the certification say-so database? The registry key contains the Certification Authority configuration settings, such as the CRL and AIA locations. To support the registry cardinal, open up regedit and perform the following steps:

1. Navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc.
2. Right-click CertSvc and select Export.

Exporting the Active Directory Certificate Authority CertSvc registry fundamental

3. Remove the Advertisement CS role from the current Windows Server ^

Next, remove the Advertising CS role from the server hosting Ad CS.

Remove the Advertisement CS role

Ostend the removal of the Advertising CS role service.

Confirm removal selections in the Remove Server Role wizard

After the role is removed, you will need to restart the AD CS server.

Removal complete restart the server

iv. Install the Advertisement CS role on your new Windows Server ^

Since the role is removed from the old Windows Server, nosotros can install it on the new. On the new Windows Server, open Server Manager, select the server, and click Next.

Beginning the Add Roles and Features Sorcerer to add Advertisement CS

Select the Active Directory Document Services checkbox.

Select Agile Directory Certificate Services

Add the required features.

Add features required for Advertisement CS

Click Next on the Select features screen.

Select features in the Add Roles and Features Wizard

Click Side by side on the Advertising CS Overview screen. Add together the AD CS role services. Here, I am selecting:

• Certification Dominance
• Certificate Enrollment Policy Spider web Service
• Document Enrollment Web Service
• Certification Authority Spider web Enrollment

Adding the role services to install for AD CS

Click Next on the Web Server Role (IIS) screen.

Web Server Role IIS overview

Install the services you need for your environs. Here, I leave the defaults selected.

Select the role services needed for Web Server Role IIS

Confirm the installation of roles and role services.

Confirm installation of CS

The installation is successful.

Installation of CS is successful in Windows Server 2019

If you try to open the Certification Authority direction console on the new server before finishing the configuration in Server Manager, y'all will see the mistake beneath. Information technology but means you need to end the setup of Advertisement CS.

Certification Authority direction console error

Run the post-deployment configuration of Advertising CS.

Launching the post deployment task for CS

On the mail-deployment page, enter the credentials for configuring role services.

Advertisement CS configuration credential

You won't be able to configure services other than the Certification Authority. And so you must first configure the Certification Authority and and so get back and configure the Web Service.

Configure Advertisement CS role services

Cull Enterprise CA.

Specify the setup blazon of the CA

Choose Root CA.

Specify root or subordinate CA

Here, select Use existing individual key.

Use existing private fundamental during the configuration of AD CS

Select your existing private primal created in your legacy Ad CS server backup. Copy this to your server beforehand so you have access to the central. Click Import.

Import the existing certificate for the CA

Scan to the cardinal. Enter the password used to dorsum upwards the central and AD CS configuration.

Specify the file name and password for the existing document

Click the certificate proper name. You lot can also select the "Permit ambassador interaction when the private central is accessed by the CA" option equally a security enhancement. This checkbox enables strong private key protection. With this selected, you volition have to enter administrator credentials each fourth dimension a private key is used, when a new certificate or CRL is issued, or when the service starts.

Verify the imported certificate

Cull the location for the CA database.

Select the database location for Advertisement CS

Review the configuration.

Confirmation of the Advert CS install operation

The configuration is successful.

Installation and configuration succeeded for Advert CS services on the new Windows Server

Yous will be prompted to finish an additional postal service-deployment configuration. Y'all tin can go back into the post-configuration wizard and configure the web services portion of the new server.

Configure additional Certification Potency role services

Review the CA for Certificate Enrollment Web Services.

Configure additional Certification Authorization role services

The configuration is successful.

Later configuration of the Advertising CS Web Services

v. Restore the backup configuration and registry central on the new Advertisement CS server ^

Now, let'southward restore the backup taken from the Windows Server 2008 R2 server. Finish the AD CS service to restore the AD CS fill-in.

Stop the AD CS service earlier restoring

Choose Restore CA.

Restore the CA from the Certification Authorization console

This begins the Restore Wizard.

Beginning the AD CS restore wizard

Select the checkboxes for Private key and CA certificate and Certificate database and certificate database log. In add-on, cull the folder from which to restore.

Choose the items to restore and the location from which to restore them

Provide the countersign used during backup.

Enter the restore password for the backup

Click End to complete the restore wizard.

Completing the AD CS restore wizard

Select No to the prompt to start the service. We need to restore the registry central.

Restore finished prompt for service restart

Browse to the registry key backup y'all created from the original Advertizement CS server. Right-click and select Merge.

Merge the registry key from the quondam Active Directory Certificate Services server

After the registry merge is successful, start the AD CS service.

Start the AD CS service on the new Advert CS server

At this point, y'all should exist able to see the new Active Directory Certificate Services server running without issue, besides as your issued certificates and other data equally it was earlier the server migration. Due to the restore, the CA configuration will retain the CA name of the former server.

The new Certificate Services Server maintains the name of the one-time Advertising CS server

Wrapping upwardly ^

Migrating from an older Windows Server running Advertizing CS is not too difficult if you commencement up the files needed and restore them after the role service is installed on the destination server.

Subscribe to 4sysops newsletter!

It allows decommissioning legacy servers that are no longer supported by Microsoft and remaining in a supported condition with a core infrastructure service.

brassardforint.blogspot.com

Source: https://4sysops.com/archives/migrate-ad-certificate-services-to-a-new-server/