Hello,

I'm in the process of researching the best way to migrate our AD CS onto a new Server and I've read a few conflicting articles on the web, specifically to do with naming. So I'm looking to get some advice on the best way to do this.

The CS role is currently sitting on a 2008 DC that will be demoted as we'll be upgrading the DFL and FFL to 2012 R2 on new DCs. I'd ideally (I think) like to move the CS role to a member Server with a new name, not new CA name, obviously, but new Server name. I've read some articles that say this will be ok but others that advise to the contrary. Can anyone clarify this?

If I can't rename it I'd still like to move it to a member Server but I'd need to demote the DC after removing the CS role. Presumably then match the new Server name with the that of the old Server before adding it to the Domain, installing the CS role and recover the config from the old CA backup. Does that sound right? Would it be easier keeping the CS role with a new DC? Any other general help advice would be appreciated.

Hope that all makes sense.

Cheers
Neil

ADCS migration to another host with a new name is completely supported. I strongly recommend to examine official ADCS migration guide: https://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

this guide provides scenario when destination host has different name.

I have performed this same migration about two months ago without issues. From a high level i backed up the CA that was running on my DC along with the certificates. Then i removed the CA role from that server. Then i built a new 2012 R2 server and loaded the CA role. Performed a restore and everything worked fine. I also increased the expiration on the Root CA certificate to 10 years so that we could issue 10 year certs. 

I also used the document below to work through the migration. 

https://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

Hi Vadims,

Thanks for getting back to me with the info and confirming it could be done, I appreciate it.

After reading the documentation and watching a few vids by Chris Delay, I think I'll just keep the same host name and CA name. It looks much easier to keep the same name and as I planned on decommissioning the DC it's not too much of an issue.  So at a high-level I'll presumably have to...

- Take all relevant CS backups from source

- Remove CS role(s) from source

- Demote source as DC

- Name destination server as that of the source and add to the Domain

- Install CS role(s)

- Recover CS from source backup (private key, cert, database, log files & registry)

- Add in any templates that were also on the source

...I think that's it, does that sound right?

Thanks again

Neil

Thanks for that Jef.

Assuming you changed the host name, did you have to amend the AIA info etc. or did you just perform a regular restore and it worked?

The other thing I didn't mention, is that this is a root CA that is also doing the issuing etc.

Cheers

Neil

Hi Vadims,

Thanks for getting back to me with the info and confirming it could be done, I appreciate it.

After reading the documentation and watching a few vids by Chris Delay, I think I'll just keep the same host name and CA name. It looks much easier to keep the same name and as I planned on decommissioning the DC it's not too much of an issue.  So at a high-level I'll presumably have to...

- Take all relevant CS backups from source

- Remove CS role(s) from source

- Demote source as DC

- Name destination server as that of the source and add to the Domain

- Install CS role(s)

- Recover CS from source backup (private key, cert, database, log files & registry)

- Add in any templates that were also on the source

...I think that's it, does that sound right?

Thanks again

Neil

yes, it does sound right.