As you may be aware, support for both Windows Server 2003 and 2003 R2 is coming to end on July 14th 2015. With this in mind, IT professionals are in midst of planning migration. This guide will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.
In this demonstration I am using following setup.
Windows Server 2003 R2 Enterprise x86
AD CS ( Enterprise Certificate Authority )
Windows Server 2012 R2 x64
Step 1: Backup Windows Server 2003 certificate authority database and its configuration
1. Log in to Windows 2003 Server as member of local administrator group
2. Go to Start > Administrative Tools > Certificate Authority
3. Right Click on Server Node > All Tasks > Backup CA
4. Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue
5. In next window click on check boxes to select options as highlighted and click on “Browse” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue
6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue
7. In next window it will provide the confirmation and click on “Finish” to complete the process
Step 2: Backup CA Registry Settings
1. Click Start > Run and then type regedit and click “Ok”
2. Then expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
3. Right click on “Configuration” key and click on “Export”
4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup
Now we have the backup of the CA and move these files to the new windows 2012 R2 server.
Step 3: Uninstall CA Service from Windows Server 2003
Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
With it we done with Windows Server 2003 CA services and next step to get the Windows Server 2012 CA services install and configure.
Step 4: Install Windows Server 2012 R2 Certificate Services
1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
6. In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about required features need to be added. Click on add features to add them
13. Once installation completes you can close the wizard.
Step 5: Configure AD CS
In this step will look in to configuration and restoring the backup we created.
1. Log in to server as Enterprise Administrator
9. The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue
11. In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok
15. Once its completed click on close to exit from the configuration wizard
Step 6: Restore CA Backup
Now it’s comes to the most important part of the process which is to restore the CA backup we made from Windows Server 2003.
8. Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online
Step 7: Restore Registry info
During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.
Step 8: Reissue Certificate Templates
We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
1. Open the Certification Authority Snap-in
Step 9: Test the CA
In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.
So this confirms the migration is successful.