Failed migration of Certificate Authority (CA) from Windows 2008R to Windows 2012 R2
Good afternoon, dear reader!
I will tell you about my nightmare that I experienced while migrating CA from Windows 2008R2 to Windows 2012 R2. There are a lot of articles on this subject in the internet and there shouldn't have been any problems.
Unfortunately, I’m not really a Windows Admin, I’m more than a * nix admin, but the CA migration task was set — it needs to be done.
Under the cut, I’ll tell you how I went through this process and received not exactly HappyEnd in the end.
So, let's go ...
Source data:
Source - Windows 2008 R2 with Root CA
Target - Windows 2012R2
The Windows 2012R2 server was already installed and was minimally configured.
Initially, the action plan was as follows (shortened actions):
Agree well, there is nothing complicated. And I started implementation. In fact, there were no problems and everything went like clockwork ... Service started, Certificate Templates appeared and the certificates themselves appeared. In general, everything is OK. So I went to sleep. In the morning, there were no complaints about the work of CA, and so I thought that everything was working, and set about other tasks. In the process of solving them, I needed a certificate. I created .csr and clicked on the vm_ca / certsvc link to sign and receive a certificate, and this is where the error occurred. Unfortunately, I did not take a screenshot, but it talked about mismatch user information and some other errors. Well, they sailed - I thought. I started to google, but unfortunately I did not find anything intelligible.
In the evening, we decided to remove CA Windows 2012R2 and install everything again and made a mistake, instead of Enterprise CA I chose the option Standalone CA (I already learned about my mistake later). I did all the operations again ... everything went without errors - but when I select the Certificate Templates folder, I get Element not found, although if I select Manage, then the templates are in place.
I thought that there were not enough rights for this CN = Certificate Templates, so using ADSI Edit I gave Read for vm_ca $. Restarted CertSvc and ... result: Element not found.
Then I was sad for 2 hours at night ... and CA does not work. Turn off CA Windows 2012R2 and restore VM CA Windows 2008R2 from snapshot. I return the server to AD (because when I try to enter under the domain account, an error occurs in the relationship between the server and AD).
Well, I think ... everything will now be OK, but alas ... it's still Certificate Templates - I get Element not found. I’ll leave everything until morning - for the morning of the evening is wiser.
In the morning I googled, after reading all kinds of articles - I decide to reinstall CA already on the old server in the hope of solving the Element Not Found problem and issuing certificates via the Web.
The process is quite simple:
With a sinking heart, I click on Certificate Templates - and ... I was given a list - this is already a small victory. It remains to verify the operation of issuing a certificate via the Web. I follow the link: vm_ca / certsvc and click on Request a Certificate and then advanced certificate request ... I specify the .csr request and I get the certificate ready. I give out ... It turned out to restore CA.
Conclusions:
PS I still have to try again CA migration from Windows 2008R to Windows 2012R2.
I will tell you about my nightmare that I experienced while migrating CA from Windows 2008R2 to Windows 2012 R2. There are a lot of articles on this subject in the internet and there shouldn't have been any problems.
Unfortunately, I’m not really a Windows Admin, I’m more than a * nix admin, but the CA migration task was set — it needs to be done.
Under the cut, I’ll tell you how I went through this process and received not exactly HappyEnd in the end.
So, let's go ...
Source data:
Source - Windows 2008 R2 with Root CA
Target - Windows 2012R2
The Windows 2012R2 server was already installed and was minimally configured.
Initially, the action plan was as follows (shortened actions):
- We make Backup CA + Private Key and copy it to a common sphere for both computers
- We display target from the domain and change IP
- Making a server snapshot
- Change the IP on the source
- We go to the new Windows 2012R2 server under the administrator - enter it into the domain with the same name and assign the old IP
- Put the role of Active Directory Certificate Service (CA, CA Web Enrollment, NDES, Online Responder)
- We indicate that this is Enterprise CA
- Restoring CA + Private Key from backup
- Happy end
Agree well, there is nothing complicated. And I started implementation. In fact, there were no problems and everything went like clockwork ... Service started, Certificate Templates appeared and the certificates themselves appeared. In general, everything is OK. So I went to sleep. In the morning, there were no complaints about the work of CA, and so I thought that everything was working, and set about other tasks. In the process of solving them, I needed a certificate. I created .csr and clicked on the vm_ca / certsvc link to sign and receive a certificate, and this is where the error occurred. Unfortunately, I did not take a screenshot, but it talked about mismatch user information and some other errors. Well, they sailed - I thought. I started to google, but unfortunately I did not find anything intelligible.
In the evening, we decided to remove CA Windows 2012R2 and install everything again and made a mistake, instead of Enterprise CA I chose the option Standalone CA (I already learned about my mistake later). I did all the operations again ... everything went without errors - but when I select the Certificate Templates folder, I get Element not found, although if I select Manage, then the templates are in place.
I thought that there were not enough rights for this CN = Certificate Templates, so using ADSI Edit I gave Read for vm_ca $. Restarted CertSvc and ... result: Element not found.
Then I was sad for 2 hours at night ... and CA does not work. Turn off CA Windows 2012R2 and restore VM CA Windows 2008R2 from snapshot. I return the server to AD (because when I try to enter under the domain account, an error occurs in the relationship between the server and AD).
Well, I think ... everything will now be OK, but alas ... it's still Certificate Templates - I get Element not found. I’ll leave everything until morning - for the morning of the evening is wiser.
In the morning I googled, after reading all kinds of articles - I decide to reinstall CA already on the old server in the hope of solving the Element Not Found problem and issuing certificates via the Web.
The process is quite simple:
- We celebrate the role of CA
- We are overloaded
- We are waiting for the removal process to complete.
- Add the CA role (specify CA, CA Web Enrollment, NDES, Online Responder)
- We indicate that I have Enterprise CA and I have a private key
- We are waiting for the installation to finish and restore everything from the backup that we did at the very beginning.
- As usual, everything goes with a bang - no errors and the service started
With a sinking heart, I click on Certificate Templates - and ... I was given a list - this is already a small victory. It remains to verify the operation of issuing a certificate via the Web. I follow the link: vm_ca / certsvc and click on Request a Certificate and then advanced certificate request ... I specify the .csr request and I get the certificate ready. I give out ... It turned out to restore CA.
Conclusions:
- Be sure to backup and snapshot
- Document your actions - this will help to get everything back or find the error faster
PS I still have to try again CA migration from Windows 2008R to Windows 2012R2.