Migrating the AD Certificate Authority Service server role from 2012 R2 to 2022
selahattin şadoğlu
I will follow below MS link.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server
By the way, We have been using Cisco ISE 802.1x.
But I have some questions.
1- If the new server has a different computer name ,what kind of problems can there be?
2- Have you heard of any issues with migrating from 2012R2 to 2022?
3 - after the migration, the hostname will be different. Can we just add another DNS alias to the new server’s IP to make sure there are no problems with certificates referencing the CDP?
4 - is it require on the new CA Server that you add Domain and Enterprise Admins to the Local Group “Certificate Service DCOM Access” ?
5- Would there be any special considerations to keep in mind after I migrate the CA servers?
6 - if things go wrong would i be able to restore the snapshot.
7 - In that case, how clients machine will understand the new certificate since the client machines are configured with OLD cA server name
8 - If it is a must to rename the source server ServerA, what would be your suggestion/recommendations?
9 - Do i need to export the Certificate Templates from the 2012r2 server and import them into the new 2016 server?
10 - Sounds like the best way to ensure some fallback plan (or management peace-of-mind, anyway) is to disable the NIC on the server hosting the old CA ?
11 - Any downtime for this? Considering doing this during the day.
Thanks a ton! I really appreciate all the help and knowledge you’ve shared with the community!
Michael B. Smith
[1] if you follow the instructions exactly, it’ll work just fine.
[2] no.
[3] Maybe? The right to do this is with a custom CDP; e.g., pki.fabrikam.com. Using server names is a recipe for future problems.
[4] Only if those groups need the access.
[5] Editing the registry incorrectly can break your CA. If you have a multi-tier CA, you need to start from the root and work down.
[6] Absolutely not supported. And I doubt highly it would work. Too many moving parts are involved.
[7] In what case? You are migrating the CA name. It doesn’t change. Only the DNS-host-name of the computer hosting the CA database changes. It is not supported to change a CA name.
[8] You don’t have to rename the source server.
[9] Templates on enterprise CAs are stored in AD. You will have to republish them on the target CA, but you do not have to “export” anything but the list of names – and doing so is part of the instructions. Templates on standalone CAs are stored in the registry. And in a MSFT environment, the only template you should be using on a standalone CA is the SubCA.
[10] More unsupported territory. You have to literally REMOVE the old CA in order to upgrade it. You should practice this process in a lab, several times, until you are comfortable with the entire process. Or hire someone to help you who has done it before and is comfortable with the process.
[11] Yes. If you have an integrated CDP, then it’s down until it’s re-installed and DNS is updated on the new CDP server. And obviously, certificates can’t be requested at any time during the upgrade process.
Thanks.
Regards,
Michael B. Smith
Managing Consultant
Smith Consulting, LLC
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/ac621e61-5627-4109-81c5-47dadce8f535n%40googlegroups.com.
maxcoder1
Get-ADDomain | fl Name,DomainModeGet-ADForest | fl Name,ForestModeName : contosoDomainMode : Windows2016DomainName : contoso.localForestMode : Windows2016ForestTo view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/bcaf77af23c4486284c12bcb56f8d565%40smithcons.com.
Michael B. Smith
At a thousand foot view, that appears to be the proper process.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rCoeG2RO9eDfqV3_4-z4UjzsbWfZAC6fNV69QMw9toGdg%40mail.gmail.com.
Brian Illner
Have you gone through this process yet? We’re still in the testing phase ourselves and running into all kinds of small issues.
Latest one is “ADCS could not use the default provider for encryption keys. Keyset does not exist 0x80090016 (NTE_BAD_KEYSET)”
|
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Monday, October 2, 2023 1:09 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Migrating the AD Certificate Authority Service server role from 2012 R2 to 2022
CAUTION: This message was sent from outside of Canal Insurance. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe. Please report all suspicious emails to "inf...@canal-ins.com" as an attachment.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/287261e4d1364539970fda160f9ec948%40smithcons.com.
Michael B. Smith
There are changes. What is the default provider?
certutil -getreg ca\EncryptionCSP\Provider
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BN6PR13MB2913293155B863622697A804C5A9A%40BN6PR13MB2913.namprd13.prod.outlook.com.
Brian Illner
They’re both showing the same – Microsoft Software Key Storage Provider
I performed the registry export and import, so those settings should have come over.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/a23aae8e2bf74ea19d220255839be0d7%40smithcons.com.
Brian Illner
We aren’t actively using those certs to encrypt anything that I am aware of, but I’m concerned that something either didn’t migrate over, or we have something misconfigured.
In the CA, if I attempt to add a Recovery Agent on the test migration server, it gives me this message.
The live production one shows certificates in the computer’s Personal store as expected.
|
