I was recently tasked with migrating to Windows 2016 domain controllers. Easy enough, but one of the old domain controllers had Certificate Authority installed and configured, and that server was a 2008 (not R2) x86 server. After reading lots on 2008 R2 Certificate Authority migrations, I was not finding a lot of information on Windows 2008 x86 migration methods.
Ultimately, the solution is to migrate from Windows 2008 x86 to Windows 2012 R2 first, then migrate from Windows 2012 R2 to Windows 2016. Below is the method I ultimately used successfully.
Applicable Products
Microsoft Windows 2008 Server x86 with Active Directory Certificate Services installed and configured for the enterprise
Microsoft Windows 2012 R2 Server
Microsoft Windows 2016 Server
Procedure
Backup the existing certificate authority database and private key. Using the Certificate Authority console on the Windows 2008 server, right-click the Certificate Authority name and select All Tasks > Back up CA. When running through the wizard, select both Private key and CA certificate, and Certificate database and certificate database log when choosing what to back up.
Backup the following registry key on the Windows 2008 server, HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.
Get the certificate templates that are being offered with the following command, certutil.exe -catemplates > c:\bak\catemplates.txt.
Remove the Active Directory Certificate Services role on the Windows 2008 server.
Install the Active Directory Certificate Services role on the Windows 2012 R2 server. Configure the Certificate Services for the Enterprise and use the backed up private key from the Windows 2008 server.
Restore the private key, certificate database and certificate database log on the Windows 2012 server.
Edit the .reg file from the Windows 2008 server, and replace the Windows 2008 server name with the Windows 2012 server name. Do not change any Certificate Authority names.
Import the .reg file on the Windows 2012 R2 server.
Restart the Windows 2012 R2 server and verify functionality. Verify services are started, previously issued certificates are in the database, and even request a new Certificate.
Backup the certificate authority database and private key on the Windows 2012 R2 server.
Backup the following registry key on the Windows 2012 R2 server, HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.
Remove the Active Directory Certificate Services role on the Windows 2012 R2 server.
Install the Active Directory Certificate Services role on the Windows 2016 server. Configure the Certificate Services for the Enterprise and use the backed up private key from the Windows 2012 R2 server.
Restore the private key, certificate database and certificate database log on the Windows 2016 server.
Edit the .reg file from the Windows 2012 R2 server, and replace the Windows 2012 R2 server name with the Windows 2016 server name. Do not change any Certificate Authority names.
Import the .reg file on the Windows 2016 server.
Restart the Windows 2016 server and verify functionality. Verify services are started, previously issued certificates are in the database, and even request a new certificate.
Outstanding article.
If I migrate a root CA to another server but it's a standalone server not on the domain, do I need to uninstall it or can I just power it off? I'd like to have to old one available in case something goes whack with the new one.