Migrating Certificate Service From Windows Server 2008 R2 to 2019
ฝัง
- เผยแพร่เมื่อ 5 ต.ค. 2024
- Video Series on Active Directory Certificate Service with Windows Server 2019:
In this step by step guide, we are going to migrate active directory Certificate Service From Windows Server 2008 R2 to windows server 2019. We want to migrate existing enterprise root 2008 R2 certificate authority to Windows Server 2019.
Follow my blogs:
msftwebcast.com
You are amazing! thanks for the help. had been decades since I did it and needed a refresher.
Thank you- This video is exceptionally well done and accurate. Awesome!
Excellent. One one can explain like you easily with step-step practical lab. Great !
Glad you think so!
Very helpful. Just what I was looking for. Thank you.
Thx gonna need this soon upgrading production environments .. I may run this in my lab first 😎
Way to make it look easy. Nice work.
There are some certificates very old more than 5 years. Those certificates does not required for business use. How to delete the expired and revoked certificates from ADCS.
Very precise and good presentation
Thanks for shared the information we us !!!!
Thanks for your great content MSFT WebCast,
I have a question for you. If am migrating a Certification Authority which is integrated with Active Directory, I know that CA read and write from NTDS.DIT. If I do a checkpoint on Hypervisor, and then I have problem in migration, can I revert back to that checkpoint or will I have problem as CA read on NTDS.DIT old data?
Thank you
Question - Since you changed the CA name on the destination server. you should set the permissions on the "Active directory sites and services" for the AIA and CDP with the new server name ?
You can't upgrade from 2008 to 2019 straight tough.
You have to update from 2008 to 2012 before to update the database.
2008R2 you can, but not 2008 (non-R2) so you could upgrade 2008 to 2008R2 and then you can migrate to 2019.
@@jriding6161 Yes you are right since 2008 R2 still upgrades the certificates database as a preqrequisite prior migrating on 2012 and later OS.
Thank you! Awesome video!
What steps will change, if the server being migrated has its private key stored inside a HSM?
Excellent question !
I have the same situation
Please let me know if you have answer
hi all your videos are really helpful and professional .do you have video how to Migrating Shared Folder from Server 2008R2 to Server 2019/2022
Thank you!
How about CRL and AIA information URLs, those are still going to point out to old server name which you uninstalled ADCS role.
Have you ever done any PKI Migrations ? If yes do you have 2 tier migration. 1 offline root CA and 2 issuing CA's and 2 web enrollment servers and a AD. These certs are used only for internal purpose.
Can we do an in place upgrade of 2008 Certificate Authority to 2019 on the same box?
Great~!
Shown method didn't worked for me in two tire CA environment. Could you please provide more details on this
Hi, did you find the answer? I have the exact same question. I am assuming we use the same steps for Root CA and then the same for Issuing CA?
This worked great thanks!
Super video ! Merci
Does anyone know if certificates are already handed out, when you uninstall the roles from the original server, will that cause any downtime of the current certs?
Nice video, good to know. But we rather build new from scrath in our case. (more hope we can run an old hyper-v installation on 2019 instead)
I know im randomly asking but does anyone know of a tool to get back into an instagram account??
I was stupid lost my password. I would appreciate any assistance you can offer me.
@Ryan Kendrick instablaster :)
@Otis Clyde I really appreciate your reply. I found the site on google and Im waiting for the hacking stuff atm.
Seems to take a while so I will get back to you later when my account password hopefully is recovered.
@Otis Clyde it worked and I finally got access to my account again. Im so happy!
Thank you so much you saved my account!
@Ryan Kendrick Glad I could help xD
Quick question...Once you move to the new CA Server, will AD automatically update the certs to the machines and say network appliances? Or will that need to be done manually?
Certificate will update as per its validity and configuration settings.
Can we apply the same in 2012R2 to 2019 ?
Should I also change the "WebClientCAMachine" ?
If you have a web proxy machine for CA web pages whose DNS host name is changed as a result of the domain rename operation, that time you need to change the "webclientCAMachine" reg entries.
@@MSFTWebCast I just migrated the CA to a new server with a different name.
how would this process differ if you have both a Root CA and a Sub CA?
Same question
Hi there! When I'm trying to backup CA from winsrv 2008r2 im getting this message: 'Windows cannot back up one or more private keys because the CSP does not support key export. Do you want to continue and back up only the private keys thac can be exported?".
Maybe somebody could give me advice on what to do with this error and what could be the consequences if you backup only private keys that can be exported? Thanks!
I think probably private key is missing or corrupted. Use certutil -store my and certutil -store -v my command for information.
Good
nice video
Thanks
Hello,
my CA has 1024 bit RSA encryption. How to renew for 2048?
You cannot change key size i beleive...
May i suggest the following, but dare i say it needs lot of time and patience....
Run a parallel CA setup with 2048/4096 bit key,. And start issuing/renewing certs from new setup, until all the old certs are migrated or expired
In my exp, experimenting new stuff in MS products will always lead to issues...😅
What CA migration is this? ROOT or Enterprise?
Domain joined!
So most probably an enterprise sub CA
how can we keep the same CA server name as the old one?
Make sure that the host name of Windows Server 2019 is same as the old CA name. In my case Old CA name is WS2K8R2.mylab.local and New CA name is WS2K19-CA01.mylab.local. If you keep both CA name same then you do not need to perform the steps starting from 13:11 to 13:47.
@@MSFTWebCast Thank you!
okk
What steps will change, if the server being migrated has its private key stored inside a HSM?