April 7, 2015 at 14:44Step by step: Migrating Active Directory Certificate Service from Windows Server 2003 to Windows Server 2012 R2
- Transfer
As you should already know, support for Windows Server 2003 and Windows Server 2003 R2 ends July 14, 2015. Knowing this, IT professionals have either already migrated, or this process should be in full swing. This article will describe the steps required to migrate an Active Directory Certificate Service from Windows Server 2003 to Windows Server 2012 R2.
The following settings will be used for demonstration:
We go into Windows Server 2003 under an account from the group of local administrators.
Choose Start - Administrative Tools - Certificate Authority. We
right-click on the server node. Select All Tasks , then Back up CA
The “Certification Authority Backup Wizard” opens and click “Next” to continue.
In the next window, select the items that are highlighted to indicate the desired settings and click “ Browse ” to specify the location to save the backup. Click “Next” to continue.
Next, you will be prompted to enter a password in order to protect the private key and certificate authority certificate file. After entering the password, click “Next” .
The next window will ask for confirmation. If everything is in order - click “ Finish ” to complete the process.
Click Start , then Run . Type regedit and click OK .
Then open HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CertSvc
Right-click on the “ Configuration ” key and select “ Export ”.
In the next window, specify the path where you want to save the backup file and specify its name. Then click “Save” to complete the backup.
Now we have backup files for the certification authority and we can move these files to the new Windows Server 2012 R2 server.
Теперь, когда готовы резервные файлы и прежде, чем настроить службы сертификации на новом Windows Server 2012 R2, мы можем удалить службы центра сертификации с Windows Server 2003. Для этого нужно проделать следующие шаги.
Щёлкаем Start > Control Panel > Add or Remove Programs
Затем выбираем “Add/Remove Windows Components”
В следующем окне уберите галочку с пункта “CertificateServices” и нажмите “Next” для продолжения
После завершения процесса, вы увидите подтверждение и можете нажать “Finish”
At this stage, we finished working with the certificate authority services on Windows Server 2003 and the next step is to configure and configure the certificate authority on Windows Server 2012 R2.
Log on to Windows Server 2012 R2 as either a domain administrator or a local administrator.
Go to Server Manager> Add roles and features .
Start "the Add roles and features" , click "Next" to continue.
In the next window, select “Role-based or Feature-based installation” , click “Next” to continue.
From the list of available servers, select yours and click “ Next ” to continue.
In the next window, select the “Active Directory Certificate Services” role, install all related components and click “ Next ” .
In the next two windows, click “ Next ” . After that, you will see options for choosing the services to install. We select Certificate Authority and Certification Authority Web Enrollment and click “Next” to continue.
To install the Certification Authority Web Enrollment, you must install IIS . Therefore, in the next two windows, look at a brief description of the role, select the necessary components and click “ Next ” .
Next you will see a confirmation window. If everything is ok, click “ Install ” to start the installation process.
After the installation is completed, you can close the installation wizard and proceed to the next step.
In this step, we will look at how to configure and restore the backup files that we created.
Go to the server with Enterprise Administrator privileges
Go to Server Manager> AD CS
On the right side of the panel you will see a pop-up window, as in the screenshot and click “ More ”
A window will open in which you need to click “ Configure Active Directory Certification Service ...”
A window will open a role setup wizard in which you can change the account. Because we are already logged in with an Enterprise Administrator account , then we will leave what is specified by default and click “ Next ”
The next window will ask what services we want to configure. Select Certificate Authority and Certification Authority Web Enrollment and click “Next” to continue.
This will be Enterprise CA , so in the next window, select Enterprise CA as the installation type and click “ Next ” to continue.
In the next window, select “Root CA” as the CA type and click “ Next ” to continue.
The following setting is very important. If this was a new installation, then we could just create a new private key. But since this is a migration process, we already have a reserved private key. Therefore, here, select the option that is noted in the screenshot and click “ Next ” to continue.
In the next window, click the “ Import ” button .
Here we have the opportunity to select the key that we reserved with Windows Server 2003. We indicate the path to this key and enter the password that we used. Then click OK .
Further, if the import was successful, then we will see our certificate. Select it and click “ Next ”to continue.
In the next window, we can determine the path to the certificate database. I left what is specified by default and click “Next” to continue.
In the next window, all the information for configuration will be provided. If everything is fine, then click “Configuration” to start the process.
After the process is completed, close the configuration wizard.
Now we move on to the most important part of the entire migration process, in which we will restore the backup reserved in Windows Server 2003 CA.
Go to Server Manager> Tools> Certification Authority.
Right-click on the server name and select All Tasks > Restore CA.
Then a warning appears that the certificate service must be installed to continue. Click OK .
The Certification Authority Restore Wizard launches , click “Next” to continue.
In the next window, specify the path to the folder where the backup is located. Then select the same settings as I am in the screenshot. Click “Next ” to continue.
In the next window, you can enter the password that we used to protect the private key during the backup process. After entering, click “Next” to continue.
In the next window, click “ Finish ” to complete the import process.
After successful completion of the process, the system will ask if the certification authority can be launched. Start the service.
When backing up the CA, we also backed up the registry key. Now you need to restore it. To do this, open the folder that contains the reserved registry key. Double-click on it with the left mouse button.
A warning window will appear. Click “ Yes ” to restore the registry key.
Upon completion, you will receive a confirmation of a successful recovery.
We have completed the migration process, and now we need to re-issue the certificates. I had settings for a template in the Windows Server 2003 environment, which was called “ PC Certificate ” , with which certificates were issued for computers included in the domain. Now let's see how I re-issue the template.
Opens the Certification Authority console.
Right-click on the Certificate Templates Folder> New> Certificate Template to Reissue .
From the list of certificate templates, select the appropriate certificate template and click OK .
Now that the certificate template is installed on the computer, it must be set to automatic mode. For verification, I installed a computer with the Windows 8.1 operating system , named it demo 1, and added canitpro.local to the domain . After its first download, on the server I open the certificate authority console and expand the “Issued Certificate” section. There I can see a new certificate that is issued for the computer.
This completes the migration process.
The following settings will be used for demonstration:
| Server name | operating system | Server roles |
|---|---|---|
| canitpro-casrv.canitpro.local | Windows Server 2003 R2 Enterprise x86 | AD CS (Enterprise Certificate Authority) |
| CANITPRO-DC2K12.canitpro.local | Windows Server 2012 R2 x64 |
Step 1. Backing up the configuration and database of the Windows Server 2003 Certificate Authority
We go into Windows Server 2003 under an account from the group of local administrators.
Choose Start - Administrative Tools - Certificate Authority. We
right-click on the server node. Select All Tasks , then Back up CA
The “Certification Authority Backup Wizard” opens and click “Next” to continue.
In the next window, select the items that are highlighted to indicate the desired settings and click “ Browse ” to specify the location to save the backup. Click “Next” to continue.
Next, you will be prompted to enter a password in order to protect the private key and certificate authority certificate file. After entering the password, click “Next” .
The next window will ask for confirmation. If everything is in order - click “ Finish ” to complete the process.
Step 2. Reserving the certificate authority registry settings
Click Start , then Run . Type regedit and click OK .
Then open HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CertSvc
Right-click on the “ Configuration ” key and select “ Export ”.
In the next window, specify the path where you want to save the backup file and specify its name. Then click “Save” to complete the backup.
Now we have backup files for the certification authority and we can move these files to the new Windows Server 2012 R2 server.
Step 3. Removing the certificate authority service from Windows Server 2003
Теперь, когда готовы резервные файлы и прежде, чем настроить службы сертификации на новом Windows Server 2012 R2, мы можем удалить службы центра сертификации с Windows Server 2003. Для этого нужно проделать следующие шаги.
Щёлкаем Start > Control Panel > Add or Remove Programs
Затем выбираем “Add/Remove Windows Components”
В следующем окне уберите галочку с пункта “CertificateServices” и нажмите “Next” для продолжения
После завершения процесса, вы увидите подтверждение и можете нажать “Finish”
At this stage, we finished working with the certificate authority services on Windows Server 2003 and the next step is to configure and configure the certificate authority on Windows Server 2012 R2.
Step 4. Install Certificate Services on Windows Server 2012 R2
Log on to Windows Server 2012 R2 as either a domain administrator or a local administrator.
Go to Server Manager> Add roles and features .
Start "the Add roles and features" , click "Next" to continue.
In the next window, select “Role-based or Feature-based installation” , click “Next” to continue.
From the list of available servers, select yours and click “ Next ” to continue.
In the next window, select the “Active Directory Certificate Services” role, install all related components and click “ Next ” .
In the next two windows, click “ Next ” . After that, you will see options for choosing the services to install. We select Certificate Authority and Certification Authority Web Enrollment and click “Next” to continue.
To install the Certification Authority Web Enrollment, you must install IIS . Therefore, in the next two windows, look at a brief description of the role, select the necessary components and click “ Next ” .
Next you will see a confirmation window. If everything is ok, click “ Install ” to start the installation process.
After the installation is completed, you can close the installation wizard and proceed to the next step.
Step 5. Configure AD CS
In this step, we will look at how to configure and restore the backup files that we created.
Go to the server with Enterprise Administrator privileges
Go to Server Manager> AD CS
On the right side of the panel you will see a pop-up window, as in the screenshot and click “ More ”
A window will open in which you need to click “ Configure Active Directory Certification Service ...”
A window will open a role setup wizard in which you can change the account. Because we are already logged in with an Enterprise Administrator account , then we will leave what is specified by default and click “ Next ”
The next window will ask what services we want to configure. Select Certificate Authority and Certification Authority Web Enrollment and click “Next” to continue.
This will be Enterprise CA , so in the next window, select Enterprise CA as the installation type and click “ Next ” to continue.
In the next window, select “Root CA” as the CA type and click “ Next ” to continue.
The following setting is very important. If this was a new installation, then we could just create a new private key. But since this is a migration process, we already have a reserved private key. Therefore, here, select the option that is noted in the screenshot and click “ Next ” to continue.
In the next window, click the “ Import ” button .
Here we have the opportunity to select the key that we reserved with Windows Server 2003. We indicate the path to this key and enter the password that we used. Then click OK .
Further, if the import was successful, then we will see our certificate. Select it and click “ Next ”to continue.
In the next window, we can determine the path to the certificate database. I left what is specified by default and click “Next” to continue.
In the next window, all the information for configuration will be provided. If everything is fine, then click “Configuration” to start the process.
After the process is completed, close the configuration wizard.
Step 6. Restoring a reserved CA
Now we move on to the most important part of the entire migration process, in which we will restore the backup reserved in Windows Server 2003 CA.
Go to Server Manager> Tools> Certification Authority.
Right-click on the server name and select All Tasks > Restore CA.
Then a warning appears that the certificate service must be installed to continue. Click OK .
The Certification Authority Restore Wizard launches , click “Next” to continue.
In the next window, specify the path to the folder where the backup is located. Then select the same settings as I am in the screenshot. Click “Next ” to continue.
In the next window, you can enter the password that we used to protect the private key during the backup process. After entering, click “Next” to continue.
In the next window, click “ Finish ” to complete the import process.
After successful completion of the process, the system will ask if the certification authority can be launched. Start the service.
Step 7. Recovering information in the registry
When backing up the CA, we also backed up the registry key. Now you need to restore it. To do this, open the folder that contains the reserved registry key. Double-click on it with the left mouse button.
A warning window will appear. Click “ Yes ” to restore the registry key.
Upon completion, you will receive a confirmation of a successful recovery.
Step 8. Reissue the certificate template
We have completed the migration process, and now we need to re-issue the certificates. I had settings for a template in the Windows Server 2003 environment, which was called “ PC Certificate ” , with which certificates were issued for computers included in the domain. Now let's see how I re-issue the template.
Opens the Certification Authority console.
Right-click on the Certificate Templates Folder> New> Certificate Template to Reissue .
From the list of certificate templates, select the appropriate certificate template and click OK .
Step 9. Testing CA
Now that the certificate template is installed on the computer, it must be set to automatic mode. For verification, I installed a computer with the Windows 8.1 operating system , named it demo 1, and added canitpro.local to the domain . After its first download, on the server I open the certificate authority console and expand the “Issued Certificate” section. There I can see a new certificate that is issued for the computer.
This completes the migration process.