Skip to Content

How to Migrate Active Directory Certificate Services to a New Domain Controller

By: Author Alex Lim

Posted on

Categories Uncategorized

Learn how to migrate Active Directory Certificate Services (AD CS) from an old domain controller to a new one, including the steps to backup and restore the CA database and configuration.

Active Directory Certificate Services (AD CS) is a role that provides a public key infrastructure (PKI) for an organization. It allows issuing and managing certificates for authentication, encryption, digital signatures, and other purposes. If you have AD CS installed on an old domain controller (DC) and you want to move it to a new one, you need to follow some steps to ensure a smooth and secure migration.

In this article, we will show you how to migrate AD CS from a Windows Server 2008 R2 DC to a Windows Server 2019 DC with a different name, using the backup and restore method.

Step 1: Backup the CA Database and Configuration on the Old DC

The first step is to backup the CA database and configuration on the old DC. This will allow you to restore them on the new DC later. To backup the CA database and configuration, follow these steps:

  1. Log in to the old DC as a member of the local Administrators group.
  2. Go to Start > Administrative Tools > Certificate Authority.
  3. Right-click on the server node > All Tasks > Backup CA.
  4. Click Next on the Certification Authority Backup Wizard screen.
  5. Select both options to backup the private key and CA certificate and the certificate database and certificate database log, and provide a backup path for the files to be stored.
  6. Click Next and provide a password to protect the private key and CA certificate file.
  7. Click Next and then Finish to complete the backup process.

You also need to backup the CA registry settings, which contain information about the CA configuration, such as the CA name, type, and policy. To backup the CA registry settings, follow these steps:

  1. Click Start > Run > type regedit and click OK.
  2. Expand the key in the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
  3. Right-click on the Configuration key and click Export.
  4. Provide a name and save the backup file.

You can now copy the backup files to the new DC or to a removable media for later use.

Step 2: Uninstall AD CS from the Old DC

The next step is to uninstall AD CS from the old DC. This will prevent any conflicts or issues with the new DC. To uninstall AD CS from the old DC, follow these steps:

  1. Navigate to Server Manager.
  2. Click Remove Roles under Roles Summary to start the Remove Roles Wizard, and then click Next.
  3. Clear the Active Directory Certificate Services check box and click Next. Clear the Active Directory Certificate Services check box and click Next.
  4. Click Remove on the Confirm Removal Options page.
  5. If Internet Information Services (IIS) is running and you are prompted to stop the service before you continue with the uninstall process, click OK.
  6. Click Close and restart the server to complete the uninstallation.

Step 3: Install AD CS on the New DC

The third step is to install AD CS on the new DC. You need to install the same CA type and name as the old DC, and use the backup files to restore the CA database and configuration. To install AD CS on the new DC, follow these steps:

  1. Log in to the new DC as a member of the local Administrators group.
  2. Navigate to Server Manager.
  3. Click Add Roles and Features under Manage to start the Add Roles and Features Wizard, and then click Next.
  4. Select Role-based or feature-based installation and click Next.
  5. Select the current server and click Next.
  6. Select the Active Directory Certificate Services check box and click Next. Select the Active Directory Certificate Services check box and click Next.
  7. Click Next on the Features page.
  8. On the AD CS page, click Next.
  9. On the Role Services page, select the Certification Authority check box and click Next.
  10. On the Confirmation page, click Install.
  11. When the installation is complete, click the Configure Active Directory Certificate Services on the destination server link.
  12. On the Credentials page, click Next.
  13. On the Role Services page, select the Certification Authority check box and click Next.
  14. On the Setup Type page, select Existing CA and click Next.
  15. On the CA Type page, select the same CA type as the old DC (for example, Root CA) and click Next.
  16. On the CA Name page, select the same CA name as the old DC and click Next.
  17. On the Private Key page, select Use existing private key and select Select a certificate and use its associated private key and click Next.
  18. On the Select Existing Certificate page, click Import and browse to the backup file that contains the private key and CA certificate. Provide the password that you used to protect the file and click OK. Select the certificate and click Next.
  19. On the Certificate Database page, change the path of the CA database and CA database log to match the backup path that you used on the old DC. For example, if you backed up from the D:\Winnt\System32\Certlog folder, you need to restore to the D:\Winnt\System32\Certlog folder. You cannot restore to the C:\Winnt\System32\Certlog folder. Click Next.
  20. On the Confirmation page, click Configure.
  21. When the configuration is complete, click Close.

You also need to restore the CA registry settings, which contain information about the CA configuration, such as the CA name, type, and policy. To restore the CA registry settings, follow these steps:

  1. Click Start > Run > type regedit and click OK.
  2. Locate the backup file that contains the CA registry settings and double-click it.
  3. Click Yes to confirm the import.

You can now start the Certificate Services service and verify that the CA is working properly.

Frequently Asked Questions (FAQs)

Question: What are the benefits of migrating AD CS to a new DC?

Answer: Migrating AD CS to a new DC can provide several benefits, such as:

  • Improving the performance and security of the CA by using a newer and more powerful server.
  • Reducing the risk of downtime and data loss by using a more reliable and resilient server.
  • Simplifying the management and maintenance of the CA by using a more modern and user-friendly server.

Question: What are the risks of migrating AD CS to a new DC?

Answer: Migrating AD CS to a new DC can also involve some risks, such as:

  • Losing the CA configuration and data if the backup and restore process fails or is incomplete.
  • Breaking the certificate validation and revocation if the CA name or URL changes and the clients are not updated accordingly.
  • Causing compatibility issues with the applications and services that rely on the CA if the CA type or policy changes.

Question: How can I test the migration before applying it to the production environment?

Answer: It is recommended to test the migration in a lab environment before applying it to the production environment. You can use a virtual machine or a spare server to simulate the old and the new DC, and follow the same steps as described in this article. You can then verify that the CA is functioning correctly and that the certificates are valid and revocable.

Summary

In this article, we have shown you how to migrate AD CS from an old DC to a new one, using the backup and restore method. We have explained the steps to backup and restore the CA database and configuration, uninstall AD CS from the old DC, and install AD CS on the new DC. We have also provided some FAQs to answer some common questions about the migration process. We hope that this article has been helpful and informative for you.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. You should always consult a qualified IT expert before making any changes to your AD CS environment. We are not responsible for any damages or losses that may result from following the steps in this article.