Good afternoon dear reader,
I will tell you about my nightmare that I experienced migrating CA from Windows 2008R2 to Windows 2012 R2. There are a lot of articles on the Internet about this and there should not have been any problems.
To my regret - I'm not really a Windows Admin, I'm more * nix admin, but the task of migrating CA was set - it needs to be done.
Under the cut, I'll tell you how I went through this process and got a not quite HappyEnd in the end.
And so let's go ...
Initial data:
Source - Windows 2008 R2 with Root CA
Target – Windows 2012R2
I already had a Windows 2012R2 server installed and minimally configured.
Initially, the action plan was as follows (shortened actions):
1) Make a Backup CA+Private Key and copy it to a shared share for both computers
2) We derive target from the domain and change the IP
3) Making a snapshot of the server
4) Change the IP on the source
5) We go to the new Windows 2012R2 server under the administrator - we enter it into the domain with the same name and assign the old IP
6) Install the role of Active Directory Certificate Service (CA, CA Web Enrollment, NDES, Online Responder)
7) Specify that this is an Enterprise CA
8) Restore CA+Private Key from backup
9) Happy End
Agree, there is nothing complicated. And I started to implement. In fact, there were no problems and everything went like clockwork ... The service started, Certificate Templates appeared and the certificates themselves appeared. In general, everything is OK. So I went to bed. In the morning, there were no complaints about the work of CA, so I assumed that everything was working, and proceeded to other tasks. In the process of solving them, I needed a certificate. I created a .csr and followed the link to sign and receive a certificate, and at this stage an error occurred. Unfortunately, I did not take a screenshot, but it said mismatch user information and some other errors. Well, here we are, I thought. I started googling, but unfortunately I did not find anything intelligible.
In the evening, we decided to remove CA Windows 2012R2 and put everything on a new one, and then I made a mistake, instead of Enterprise CA, I chose the Standalone CA option (though I already found out about my mistake later). I did all the operations again ... everything went without errors - but when I select the Certificate Templates folder, I get Element not found, although if I select Manage, then the templates are in place.
I thought that there were not enough rights for this CN=Certificate Templates, so with the help of ADSI Edit I gave Read for vm_ca$. Restarted CertSvc and... result: Element not found.
Then I felt sad because at 2 am ... and CA is not working. Shutting down CA Windows 2012R2 and restoring CA Windows 2008R2 VM from snapshot. I return the server to AD (because when I try to log in under a domain account, an error occurs in the relationship between the server and AD).
Well, I think ... everything will be OK now, but alas ... still the same Certificate Templates - I get Element not found. I'll leave everything until the morning - for the morning is wiser than the evening.
In the morning I googled, after reading all sorts of articles - I decide to reinstall CA already on the old server in the hope of solving the Element Not Found problem and issuing certificates via the Web.
The process is pretty simple:
1) Delete the CA role
2) Reboot
3) We are waiting for the completion of the removal process
4) Add the CA role (specify CA, CA Web Enrollment, NDES, Online Responder)
5) We indicate that I have an Enterprise CA and I have a private key
6) We are waiting for the installation to complete and restore everything from the backup that we did at the very beginning.
7) As usual, everything goes with a bang - no errors and the service started
With bated breath, I click on Certificate Templates - and ... I got a list - this is already a small victory. It remains to check the operation of issuing a certificate via the Web. I follow the link: and click on Request a Certificate and then advanced certificate request ... I specify the .csr request and get a ready-made certificate. I exhale ... It turned out to restore CA.
Conclusions:
1) Be sure to backup and snapshot
2) Document your actions - this will help you get everything back or find an error faster
Ps I have to try migrating CA from Windows 2008R to Windows 2012R2 again.
Source: habr.com