KB ID 0001473
Problem
If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.
BE AWARE: We are moving the CA Server Name , NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that’s what we are going to move.
So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?
In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.
Can I migrate from Server 2008 (NON R2) to 2016 (or newer): Yes, but not directly, you need to upgrade to Server 2012 R2 first. If you don’t, the database wont mount and you will get this error.
Solution
On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.
The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.
Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;
Export a copy of this key, (save it in the same folder that you backed up to earlier).
Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.
REMOVE all the CA role services first! > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next.
Next > Next > Next > Close.
Setup Certificate Services on the Target/New Server
Server Manager > Add Roles and Features > Next.
Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.
For now let’s just stick with the Certification Authority > Add the other role services later* > Next.
*Note: I’ve written about all these role services before, just use the search function, (above), if you are unsure what they all do.
Next > Close.
Warning > Configure Active Directory Certificate Services > Next.
Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.
> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.
Next > Next > Configure > Close.
Stop Certificate Services;
If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, locate and change the CAServerName entry to the name of the NEW server.
Right click the registry backup > Merge > Yes > OK.
Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.
The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.
You will be prompted to start the Certificate Services service > Yes.
Related Articles, References, Credits, or External Links
NA
09/02/2019
Thank you for submitting the new hostname CA server Fix.
15/05/2019
Nice and clear walkthrough
I used this to perform a move for the CA service on a pair of 2012 R2 servers.
No issues were experienced beyond ensuring *NOT* to select the “database” sub-directory when performing the final restore, use the parent directory.
Thanks for taking the time to write and present this so well.
Stu
16/05/2019
No problem Stu, thanks for the feedback.
30/05/2019
Thanks for the nice and concise write-up. I’ll be using it to migrate a 2008R2 CA to a 2016 server. Quick question, do I need to back up and restore the cert templates too?
-George
30/05/2019
Cheers George, the templates are actually stored in AD, not in cert services, (providing they have been published of course!)
P
28/06/2019
George, did you complete your migration? I’m seeing some sources (https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx) saying you can’t migrate CA from 2008 to 2016, although the source wasn’t clear whether 2008 or 2008 R2. I wanted to know if you were successful with your 2008 R2 to 2016 CA migration; I’ll be making that leap here soon as well.
OB
08/07/2019
::bump:: please
I have the same question, thank you.
08/07/2019
I ended up finding this today from technet, according to this article 2008 R2 can be migrated to 2016 / 2019.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-Certificate-Service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
20/06/2019
Any downtime for this? Considering doing this during the day.
20/06/2019
Only for the PKI service while you swap over 🙂 Users probably won’t even notice.
30/07/2019
Worked on 2019 as well
13/08/2019
Can you install the new CA role but not restore the services prior to doing the swap? Would speed up the process not fully removing old and then installing new etc.
16/10/2019
It is not possible because:
It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the
CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation. The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server
restores the source CA if migration fails and performing a rollback is required. See Restoring AD CS to the source server in the event of migration failure.
17/10/2019
I’ve seen a couple different takes on this…
One states that the removal of the CA roles on the one server is absolutely necessary prior to adding and configuring them on the replacement server.
Another states that one can simply force the one server offline (e.g. disable the NIC) so it’s not available when the replacement server comes online.
You clearly take the first position, and it makes sense. It’s a bit nerve-wracking, even with the rollback options, but it makes sense.
Question: If the replacement server has a different hostname, and the certificates show the original server’s hostname as part of their CRL Distribution Point, will the steps in this article account for those, or will I need to take additional steps such as creating a CAPolicy.inf file?
Alternatively, I’ve considered just making a separate DNS entry for the old hostname pointing at the new IP.
13/08/2019
Excellent ! I would have never figured that out, especially the registry modification.
Move a 2012R2 over to 2019 Server not issues.
20/08/2019
Some articles say to change the name of the new CA Server to match the old CA server after you decommission the old CA server… so this is NOT necessary right? The only thing is the new server name will not match the CA name right? Oh and you would not need to modify CAServername registry entry….
22/08/2019
I don’t (usually) and I’ve never had a problem?
P
18/01/2020
You can’t. The add roles/features wizard specifically states that once you add the CA role, you can’t change the hostname and or domain afterwards.
26/08/2019
Thanks for the article, good work!
What about the AIA and CDP distribution points, and the CRL urls? Do you need to do anything to those to change them etc?
27/08/2019
That is a great point! If you are retaining the server name, things like AIA will probably be the same, but CRL and OSCP may well need to man manually recreated (with the same paths, or changed to the new server name).
29/08/2019
Thanks the article is very straight forward. My question as I prepare to move my CA to a new server is how do the clients find the CA?
If the CA was one name or on one server how do they find it when I move to a new server with a different name?
Thanks,
Dave
29/08/2019
They will find it in Active Directory 🙂
29/08/2019
So it will replicate the changes with AD?
I only ask because its a huge move considering if things don’t work my users wont be able to login.
And thanks so much for taking the time to answer me.
29/08/2019
Even if you are doing 801.x authentication the root CA cert will be the same, all previously issued certs will remain trusted. 🙂
11/09/2019
Awesome, thank you so much
12/09/2019
Is it safe to assume same steps would work migrating from 2008 R2 to 2016 Server?
I already have prepped 2016 server that is domain joined.
Would you also recommend making it a domain controller since my 2008 CA is also a domain controller
with schema master role assigned? I was planning on moving that role ahead of time, but should I still make it a domain controller ?
Thank You
16/09/2019
Yes in fact I’ve done it in anger 🙂
22/09/2019
PeteLong when you say Yes to Luke, which question are you saying Yes to? I was thinking of taking this opportunity to move my CA off of my 2012 DC and moving it to a member server. Everything I see says to keep it off of a CA so that is why I’m looking at it.
I was thinking I could bring up a new DC2019 and then demote the DC2012 (that has the CA on it). Now it’s just a member server. I could then install a new MemberServer 2019 and move the CA from the 2012 server to it.
What are your thoughts on this process?
23/09/2019
I mean the upgrade/migration process will work.
I don’t recommend making it a domain controller, (unless you have no choice).
Treat migrating domain controllers and migrating CA’s as a separate thing!
24/09/2019
I have something similar to this but I wanted to see if someone can comment on this: i have a CA server on an old 2008 R2 enterprise domain controller which I want to retire I also have two additional one is 2012 R2 and the other one is a 2016. all roles are managed by the 2012 DC
is it advisable to just install CA services on both 2012 and 2106 DCs and retire the 2008 DC or do i need to migrate the DB from the 2008 into one of the other two domain controllers?
Any feedback would be greatly appreciated. thanks, Wil
24/09/2019
Migrate the Root CA, then simply remove the CA roles from the SubCA servers and create some new ones, take a backup of them before you kill them in case you need to retain the intermediate CA certificates for any reason (i.e. 802.1x, or NDES, or appliances you manually put certificates on).
P
14/10/2019
What an excellent article. I’ll be using this as a guide to migrate a 2012 R2 CA to 2016 this week.
One quick (I hope) question: We’ll be changing the hostname and IP address of our CA. Is it strictly necessary to remove the CA roles from the original CA prior to installing those roles on the new CA? Or, can the original CA be shut down pending successful migration?
14/10/2019
Well no it’s not strictly necessary, but the CA can only exist in one place, the sever-name and the CA name are NOT the same, as soon as the CA is imported and online on the new server it CANNOT be online on the old one 🙂
P
14/10/2019
Perfect. Thanks again! Sounds like the best way to ensure some fallback plan (or management peace-of-mind, anyway) is to disable the NIC on the server hosting the old CA so, even powered on, it can’t talk to others. Out-of-Band-Management is obviously key to being able to do this.
Then, once we’ve got green light on the new CA on the new server, we can remove the roles from the old server.
22/10/2019
Thank you
31/10/2019
Thank you for a great article. Worked perfect. Just a quick comment, I had CNAME’s for CRL and AIA in my local DNS pointing to the old server hostname. I updated those to the new server hostname.
15/11/2019
When installing CA on the new server, when I go to configure it, the option for Enterprise CA is grayed out. Do you know why that is?
18/11/2019
Is it already a domain member server?
21/11/2019
We have root offline CA (Non Domain Joined) and Intermediate CA (Domain Joined) both are on 2008 R2
can we follow same process to migrate both server?, first migrate Root offline CA to 2019 and then migrate intermediate CA to 2019
is there anything else required.
21/11/2019
I’ve not done this, but I don’t see why not, as we are moving the CA, not the server. You can Test it in a virtual sandbox, but I can think of any problems.
25/11/2019
work this on domain controllers servers ?
i have DC where is running CA and need migrate to new server with new FQN name.. but CA name will be same as old..
thanks for help 😉
25/11/2019
The fact its a DC does not matter its the “CA name” you are moving 🙂
06/12/2019
Correct me if I am wrong – it may be a good idea to make a note of and then remove all certificate templates on the old server prior to taking a backup of the existing CA to ensure that no certificates are issued between the time you take the backup on the original server and restore on the new server. The templates could then be re-added after the restore is done.
06/12/2019
Templates don’t live on the CA server, they are stored in AD, that’s why if you have a lot of domain controllers, you need to wait a few minutes before you can issue a ‘new’ template. You are waiting for domain replication to occur.
13/12/2019
Perhaps I was not as clear as I could have been. I was suggesting that you could unpublish the templates to prevent certificates being issued between the moment you take the CA backup and disable/remove Certificate Services on the old server. The chance of this happening is small, but couldn’t it result in an ‘orphan’ certificate being issued?
16/12/2019
The worst that would happen is you would not be able to revoke it.
13/12/2019
Everything seems to have worked except the registry import, is it a requirement or can we run without it?
16/12/2019
No you definitely need that to work!
16/12/2019
Great information!
My team and I are ready to execute this Migration from a 2008 Server to a 2012R2. Our main concerns are:
1. If the server has a different name, even if we change the name in the registry export to the new name, how does that affect any currently issued certificates with the old name embedded into it?
2. How do you get all computer objects on the domain to update the certificate once the new cert is up and running?
I’m a bit novice to Managing a Certificate Store, but the project is mine to undertake and i certainly want to learn, so please Jedi Masters, give this Padawan Guidance! Thanks!
16/12/2019
1. Man Im sure I’ve mentioned this six thousand and seven times, stop worrying about server names, server names are not important at all, you are moving the CA name. So changing the server names affects nothing.
2. Assuming your computers are auto-enrolling, (if not then they wont have any certificates?) then they will renew from the CA NAME which they will find in active directory, and which hasn’t changed from the last time they got a certificate, it’s just on a different server 🙂
Imagine ‘Boots the chemist’ moves from the middle of town, to the out of town shopping centre, your question would read how do we buy paracetamol now Boots has changed its address.
P
17/12/2019
PeteLong, If the server name is irrelevant, then why is the cert server name embedded in the local workstation and server certificates? See the ProdCert1v server name in the certificate below:
(ldap:///CN=xxxxxxxxx%20xxxxxxxxxxxx%20Certificate%20Authority,CN=PRODCERT1v,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxxxxxxxxxx,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint)
URL=http://prodcert1v.xxxxxxxxx.com/CertEnroll/xxxxxxx xxxxxxxxx Certificate Authority.crl (http://prodcert1v.xxxxxxxxx.com/CertEnroll/Contractor%20Connection%20Certificate%20Authority.crl)
17/12/2019
Thats a CRL pointer.
18/01/2020
It’s the CRL URL in your reference, the person that originally installed that chose that URL/hostname. If you wish to support existing CRL lookups using this FQDN it either needs to be replicated or redirected from the original server.
However, within an AD environment LDAP is used first. This is why if your CA services non-domain members, it’s probably best to remove the LDAP location and just use HTTP to speed up resolution.
Hope this makes sense!
26/12/2019
To PeteLong…. Thank you!
Christmas Gift for me to have an easy path!
30/12/2019
Very Clean walkthrough. Thanks
02/01/2020
Hi,
I am in process of upgrading existing CA environment – 2008 -> 2019. Offline Root CA and 3 domain member SUB CA’s. After upgrade I will only need one SUB CA.
My idea is to migrate the Root CA using backup/restore as described here to a new server with new name (I think straight forward). On the current 3 SUB CA’s I want to disable auto-enrolling – and keep them alive until latest issued certificate have expired. Install a new sub CA with with auto-enrolling enabled?
Any pitfalls doing it this way?
Torben
02/01/2020
Not that I can see, as long as they are left up for the same amount of time that the certificates are valid 🙂
07/01/2020
This worked well for me thank you. On the original CA I had created a “User VPN” template for auto-enrollment. I am not sure if it was necessary, but I did reissue this certificate template on the restored CA. The User VPN template was not listed until I had selected “New -> Certificate Template to Issue”
07/01/2020
Thanks for the slick write up. I really appreciate this and the other articles you have contributed to the community Pete!
Sam
07/01/2020
Thanks Sam!
08/01/2020
Pete,
Great work, great write up.
Quick question.
I’m planning on upgrading a rootCA and a SubCA (2008r2 to 2019).
I follow the steps that you laid out for the root, I understand that.
What about the sub?
Do I do the same (ie backup the sub and the sub’s reg then restore to 2019)?
Or did I see in the comments to just install a brand new sub (even though many certs issue from sub)?
Thanx!
09/01/2020
Same procedure for the SubCA if you want to migrate it, you can also create a new one just as easy 🙂
09/01/2020
Great write up Pete!
Just a quick question, We have our CA on a 2008 DC which we want to decommission and shut down for good. Once we move the Certificate Services over to a new domain member server are we able to then demote the DC and then kill the server for good?
Just wanted to check demoting and killing the server wouldn’t cause issues with the CA on the new server?
09/01/2020
Yes – providing theres nothing else on it (DHCP, DNS, Terminal Services Licence server etc,)
09/01/2020
Put me in the same boat as those scrambling to remove 2008R2 servers from their environment. Followed these steps last night. All quiet in the office today. Would add that i was seeing errors in ‘pkiview’ referencing the old CA server, and i needed to publish my revoked certificates and then refresh the pkiview screen and that cleared those.
im still getting ‘unable to download’ on the delta crl #3 and cdp location #2 where the location is file://NEW_CA_SERVER….. but if i copy the url and browse in explorer its working, so not sure what to do there
in any case, kudos to PeteLong for actually reading and responding to so many people, after this post has been up all this time. top bloke!
10/01/2020
Thanks Jono M8!
10/01/2020
I have a Server 2008R2 and CA is running on a DC. I am planning to move CA role for DC to on its own new 2019 Server. Hostname will be different. Do I need to change any registry value if it has a different hostname? or do I need to perform any further steps apart from what is in the article.
Thanks and very helpful write up.
10/01/2020
Yes you DO need the change the server name in the registry key backup, to the new server name 🙂
P
10/01/2020
Hello pete
First of all thx for the guide, will help a lot to guys like me that do not usually play with CA’s, are on a small business and have an inherited problem from his predecessor.
what you would recomend in a case that there is a CA server on a w2008r2 DC with a cert using a deprecated SHA1 hash algorithm?
first migrate it using your guide to a w2019 and then upgrade the SHA1 cert to a SHA256 or
First upgrade the SHA1 to SHA256 and then migrate to the new server?
Just check it with certutil -store my the provider is Microsoft Software Key Storage, so at least i dont have to upgrade from CSP to KSP, which is a little relief.
10/01/2020
Great Question!
You can do it either way, I personally would sort the SHA1 problem out first, but theres no reason at all not to do it the way round you suggest.
And thanks for the feedback!
17/01/2020
Thanks for the great article. My brain is teflon when it comes to retaining CA knowledge. Definitely one of my weaker skillsets.
I’m not sure this was made clear in the comments posted, so I’ll spell it out just in case.
Firstly, one of my pet peeves is when people don’t quote R2 when talking about that version of Server 2008. Where I work we have a Windows Server 2008 migration project when the vast majority (if not all) are 2008r2 – drives me crazy.
Anyway, since I don’t want to assume all comment posters are good techies and referencing their OSes properly in their questions, I want to clarify:
If you have Windows Server 2008 CAs (not R2) and you want to migrate to 2016 or 2019, you MUST first do a migration to 2012r2
If you have 2008r2 CAs, you can go straight to 2016 or 2019.
18/01/2020
I’ve updated this post (above) and linked to what will happen if you attempt to upgrade 2008 (non R2) to 2016/2019.
Pete