I have quite a few things going on at work at the moment. We are retiring an old Windows 2003 domain controller and bringing in a fresh new Server 2008 R2 DC as its replacement. This old server had many things on it which needed to be migrated off. Microsoft Certificate Authority was one of them. At first I was a little tentative about doing this because Microsoft Certificate Service is something I have never been completely comfortable with. I mean, I can install it, configure it, manage it but I am by no means an advanced user. Alright, enough of my story, here’s how you do it.
NOTE: This article with describe the process of migrating your Active Directory Root Certificate Authority from a domain controller running Windows Server 2003 to Windows Server 2008 R2. If your scenario differs, please refer to this Microsoft article here ( https://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en )
STEP 1, in the event something goes wrong, what is the first thing we are supposed to do? That’s right, ensure you have a valid, working backup of your ENTIRE system just to be safe.
STEP 2, make a backup of your source CA.
Start-> Run –> mmc –> OK –>
Add/Remove Snap-ins –> Add –> Certification Authority –> Add- > Local Computer –> Finish –> Close –> OK
This takes you into the Certification Authority Backup Wizard. Click Next on the first screen.
In the “Items to back Up” screen, select Private key and CA Certificate as well as Certificate database and certificate database log. Under “Back up to this location”, give it a path to an EMPTY folder for you to store your backup in. In the next screen, Select a Password, type in and confirm the password you are going to use for the backup and restore password for your CA, and don’t make this easy, still make it secure, remember what your backing up now.
Click Finish on the Completing the Certification Authority Backup Wizard.
Copy your backup directory to your new CA server.
STEP 3 Remove Certificate service from the source server.
This is done through Add/Remove Windows Components. I am not going to do a step by step here. Open it up, uncheck the box and click next, this part is easy enough.
STEP 4 Install Active Directory Certificate Services on your destination server.
Open Server Manager and click on Roles –> Add Roles
Choose Active Directory Certificate Services and click next.
Click Next on “Introduction to Active Directory Certificate Services”.
In this guide, I am only covering installing Certification Authority, so on “Select Role Services” leave only Certification Authority checked. Click Next.
Choose Enterprise and click Next.
Choose Root CA and click Next.
Under “Set Up Private Key”, choose “Use existing private key” and under that, choose “Select a certificate and use its associated private key” and click Next.
On Select Existing Certificate, click Import, browse for your CA Backup from the source computer. Select the p12 file in the root of the backup folder and type in the password you created during the backup process. Click OK. Now select the certificate you just imported and click Next.
On “Configure Certificate Database”, leave this default and click Next.
On the Confirm Installation Selections, confirm everything looks as it should and click install.
When the wizard finishes, click close.
STEP 5 Restore your backup.
Open Server Manager and expand the tree on the left to open Active Directory Certificate Services.
Right click on your CA –> All Tasks –> Restore CA
This will stop Active Directory Certificate Services and bring up the “Welcome to the Certification Authority Restore Wizard”. Click Next.
In the “Items to Restore” page, select both check boxes and give the full path to the root of your CA backup folder you created. Click Next.
On the next page, type in the password you created during your CA backup. Click Next.
Click finish on the “Completing the Certification Authority Restore Wizard” page.
You will be greeted with a warning that your restore is complete and it will ask you if you want to start Active Directory Services. Unless you did incremental backups which you need to restore, click Yes.
That’s it, your done. Check to make sure everything looks and runs normally. Check the event log for errors and also attempt to enroll new certificates with the new server. Republish your CRL too.
Now that wasn’t so hard, was it?