Migrating Windows 2003 Enterprise Certificate Authority to Windows 2008 R2 based CA


Organizations have different reasons and requirements for upgrading or migrating to Active Directory Certificate Services (AD CS). They include:

  • An existing, properly implemented, and operating public key infrastructure (PKI) may require an upgrade to a newer Windows version to make use of new features.
  • Organizations may need to change or optimize their existing PKI. For example, the certification authority (CA) may have been installed on a domain controller, or incorrect configuration options may have been selected. To change the AD CS implementation so that it follows deployment best practices requires migration. In these cases, upgrading is optional and can be performed after the migration has been completed successfully.
  • Microsoft defines and publishes a support lifecycle for each of its products. We recommend upgrading to a newer product before the support lifecycle of a product has ended. For example, CAs running on the Microsoft Windows 2000 Server operating system should be upgraded to Windows Server® 2003 to be supported and can then be upgraded to Windows Server 2008.
  • Company mergers and reorganizations are a challenge for information technology (IT) departments and can be especially challenging for the PKI deployment. A PKI can be affected if organizational changes require naming changes or consolidation, or when encrypted information must be transferred to a new owner and encryption certificates be made available to the new owner.

The choice between whether to upgrade or migrate AD CS environment depends on the features and role services that needs to be implemented and the current and desired network environment. The following flow chart will help in selecting the appropriate options and strategies.

image

In this blog I will demonstrate how to migrate a Windows 2003 based Enterprise CA to Windows 2008 R2 based CA with same PKI name and hostname.

 


Backing up Windows 2003 CA database and configuration

1

2

3

4

 

5

 

6

 

7

 

Decommissioning Windows 2003 CA

1

 

image

 

image

 

image

 

image

 

Installing Windows 2008 R2 Enterprise CA

 

image

 

image

 

image

 

enterprise

 

image

 

existing cert

 

image

 

image

 

summary

 

Restoring CA Backup on Windows 2008 R2 CA

 

8

 

9

 

10

 

11

 

12

 

Reissue the templates

13

 

14

Comments (6)

  1. Anonymous says:

    Thanks.

  2. Andrew says:

    I hear the restore won’t work if the other server has a different name.

  3. Andrew, the restore doesn´t work if the CA name is different, in this case you need to maintain the CA name to successfully import settings.

  4. JP says:

    Hi there, is there a way to migrate the CA role and its settings to a dedicated server which has a different server name? Based on some articles, I have seen the limitation with the migration is tied to the original server name, can someone please confirm
    this limitation? Thanks

  5. greg says:

    I’m afraid our environment is a bit more complex, we have a three tier PKI infrastructure with 2003 32 bit hardware, a RootCA, an IntermediateCA, and then an IssuingCA, I don’t think we can just start at the top and export and import configs all the way
    down the chain because of our hardware architecture limitations

  6. Geoff says:

    Greg – I am in the same boat. Existing 3 tier 2003. What routed did you end up taking?