Step by step: Migrating Active Directory Certificate Service from Windows Server 2003 to Windows Server 2012 R2

Original author: Dishan Francis
  • Transfer
As you should already know, support for Windows Server 2003 and Windows Server 2003 R2 ends July 14, 2015. Knowing this, IT professionals have either already migrated, or this process should be in full swing. This article will describe the steps required to migrate an Active Directory Certificate Service from Windows Server 2003 to Windows Server 2012 R2.



The following settings will be used for demonstration:

Server nameoperating systemServer roles
canitpro-casrv.canitpro.localWindows Server 2003 R2
Enterprise x86
AD CS (Enterprise
Certificate Authority)
CANITPRO-DC2K12.canitpro.localWindows Server 2012 R2 x64


Step 1. Backing up the configuration and database of the Windows Server 2003 Certificate Authority


We go into Windows Server 2003 under an account from the group of local administrators.
Choose Start - Administrative Tools - Certificate Authority. We

right-click on the server node. Select All Tasks , then Back up CA

The “Certification Authority Backup Wizard” opens and click “Next” to continue.

In the next window, select the items that are highlighted to indicate the desired settings and click Browse to specify the location to save the backup. Click “Next” to continue.

Next, you will be prompted to enter a password in order to protect the private key and certificate authority certificate file. After entering the password, click “Next” .

The next window will ask for confirmation. If everything is in order - click Finish to complete the process.

Step 2. Reserving the certificate authority registry settings


Click Start , then Run . Type regedit and click OK .

Then open HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CertSvc
Right-click on the Configuration key and select Export ”.

In the next window, specify the path where you want to save the backup file and specify its name. Then click “Save” to complete the backup.

Now we have backup files for the certification authority and we can move these files to the new Windows Server 2012 R2 server.


Step 3. Removing the certificate authority service from Windows Server 2003


Теперь, когда готовы резервные файлы и прежде, чем настроить службы сертификации на новом Windows Server 2012 R2, мы можем удалить службы центра сертификации с Windows Server 2003. Для этого нужно проделать следующие шаги.
Щёлкаем Start > Control Panel > Add or Remove Programs

Затем выбираем “Add/Remove Windows Components”

В следующем окне уберите галочку с пункта CertificateServices и нажмите Next для продолжения

После завершения процесса, вы увидите подтверждение и можете нажать Finish

At this stage, we finished working with the certificate authority services on Windows Server 2003 and the next step is to configure and configure the certificate authority on Windows Server 2012 R2.

Step 4. Install Certificate Services on Windows Server 2012 R2


Log on to Windows Server 2012 R2 as either a domain administrator or a local administrator.
Go to Server Manager> Add roles and features .

Start "the Add roles and features" , click "Next" to continue.
In the next window, select “Role-based or Feature-based installation” , click “Next” to continue.
From the list of available servers, select yours and click Next to continue.
In the next window, select the “Active Directory Certificate Services” role, install all related components and click Next .

In the next two windows, click Next . After that, you will see options for choosing the services to install. We select Certificate Authority and Certification Authority Web Enrollment and click “Next” to continue.

To install the Certification Authority Web Enrollment, you must install IIS . Therefore, in the next two windows, look at a brief description of the role, select the necessary components and click Next .
Next you will see a confirmation window. If everything is ok, click Install to start the installation process.

After the installation is completed, you can close the installation wizard and proceed to the next step.

Step 5. Configure AD CS


In this step, we will look at how to configure and restore the backup files that we created.
Go to the server with Enterprise Administrator privileges
Go to Server Manager> AD CS

On the right side of the panel you will see a pop-up window, as in the screenshot and click More

A window will open in which you need to click “ Configure Active Directory Certification Service ...”

A window will open a role setup wizard in which you can change the account. Because we are already logged in with an Enterprise Administrator account , then we will leave what is specified by default and click Next

The next window will ask what services we want to configure. Select Certificate Authority and Certification Authority Web Enrollment and click “Next” to continue.

This will be Enterprise CA , so in the next window, select Enterprise CA as the installation type and click Next to continue.

In the next window, select “Root CA” as the CA type and click Next to continue.

The following setting is very important. If this was a new installation, then we could just create a new private key. But since this is a migration process, we already have a reserved private key. Therefore, here, select the option that is noted in the screenshot and click Next to continue.

In the next window, click the Import button .

Here we have the opportunity to select the key that we reserved with Windows Server 2003. We indicate the path to this key and enter the password that we used. Then click OK .

Further, if the import was successful, then we will see our certificate. Select it and click Next to continue.

In the next window, we can determine the path to the certificate database. I left what is specified by default and click “Next” to continue.

In the next window, all the information for configuration will be provided. If everything is fine, then click “Configuration” to start the process.

After the process is completed, close the configuration wizard.

Step 6. Restoring a reserved CA


Now we move on to the most important part of the entire migration process, in which we will restore the backup reserved in Windows Server 2003 CA.
Go to Server Manager> Tools> Certification Authority.

Right-click on the server name and select All Tasks > Restore CA.

Then a warning appears that the certificate service must be installed to continue. Click OK .

The Certification Authority Restore Wizard launches , click “Next” to continue.
In the next window, specify the path to the folder where the backup is located. Then select the same settings as I am in the screenshot. Click Next to continue.

In the next window, you can enter the password that we used to protect the private key during the backup process. After entering, click “Next” to continue.

In the next window, click Finish to complete the import process.
After successful completion of the process, the system will ask if the certification authority can be launched. Start the service.

Step 7. Recovering information in the registry


When backing up the CA, we also backed up the registry key. Now you need to restore it. To do this, open the folder that contains the reserved registry key. Double-click on it with the left mouse button.
A warning window will appear. Click Yes to restore the registry key.

Upon completion, you will receive a confirmation of a successful recovery.


Step 8. Reissue the certificate template


We have completed the migration process, and now we need to re-issue the certificates. I had settings for a template in the Windows Server 2003 environment, which was called PC Certificate , with which certificates were issued for computers included in the domain. Now let's see how I re-issue the template.
Opens the Certification Authority console.
Right-click on the Certificate Templates Folder> New> Certificate Template to Reissue .

From the list of certificate templates, select the appropriate certificate template and click OK .


Step 9. Testing CA


Now that the certificate template is installed on the computer, it must be set to automatic mode. For verification, I installed a computer with the Windows 8.1 operating system , named it demo 1, and added canitpro.local to the domain . After its first download, on the server I open the certificate authority console and expand the “Issued Certificate” section. There I can see a new certificate that is issued for the computer.


This completes the migration process.

Also popular now: