KB ID 0001473
Problem
If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate eServices to another server, the procedure is pretty straight forward.
BE AWARE: We are moving the CA Server, NOT the server name/FQDN, the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that what we are going to move.
So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I cant see the point of?
Here I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.
Update Jun 2019: Used the same procedure today, to move from Server 2012R2 to Server 2019.
Solution
On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.
The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.
Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;
Export a copy of this key, (save it in the same folder that you backed up to earlier).
Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.
REMOVE all the CA role services first! > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services > At the pop-up select ‘Remove Features” > Next.
Next > Next > Next > Close.
Setup Certificate Services on the Target/New Server
Server Manager > Add Roles and Features > Next.
Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.
For now let’s just stick the Certification Authority > Add the other role services later* > Next.
*Note: I’ve written about all these role services before, just use the search function, (above.) If you are unsure what they all do.
Next > Close.
Warning > Configure Active Directory Certificate Services > Next.
Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.
> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.
Next > Next > Configure > Close.
Stop Certificate Services;
If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, Locate and change the CAServerName entry to the name of the NEW server.
Right click the registry backup > Merge > Yes > OK.
Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.
The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.
You will be prompted to start the Certificate Services service > Yes.
Related Articles, References, Credits, or External Links
NA
09/02/2019
Thank you for submitting the new hostname CA server Fix.
15/05/2019
Nice and clear walkthrough
I used this to perform a move for the CA service on a pair of 2012 R2 servers.
No issues were experienced beyond ensuring *NOT* to select the “database” sub-directory when performing the final restore, use the parent directory.
Thanks for taking the time to write and present this so well.
Stu
16/05/2019
No problem Stu, thanks for the feedback.
30/05/2019
Thanks for the nice and concise write-up. I’ll be using it to migrate a 2008R2 CA to a 2016 server. Quick question, do I need to back up and restore the cert templates too?
-George
30/05/2019
Cheers George, the templates are actually stored in AD, not in cert services, (providing they have been published of course!)
P
28/06/2019
George, did you complete your migration? I’m seeing some sources (https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx) saying you can’t migrate CA from 2008 to 2016, although the source wasn’t clear whether 2008 or 2008 R2. I wanted to know if you were successful with your 2008 R2 to 2016 CA migration; I’ll be making that leap here soon as well.
OB
08/07/2019
::bump:: please
I have the same question, thank you.
08/07/2019
I ended up finding this today from technet, according to this article 2008 R2 can be migrated to 2016 / 2019.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-Certificate-Service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
20/06/2019
Any downtime for this? Considering doing this during the day.
20/06/2019
Only for the PKI service while you swap over 🙂 Users probably won’t even notice.
30/07/2019
Worked on 2019 as well
13/08/2019
Can you install the new CA role but not restore the services prior to doing the swap? Would speed up the process not fully removing old and then installing new etc.
13/08/2019
Excellent ! I would have never figured that out, especially the registry modification.
Move a 2012R2 over to 2019 Server not issues.