Certificate Authority (CA) migration failed from Windows 2008R to Windows 2012 R2
Good afternoon, dear reader!
I will tell you about my nightmare, which I experienced migrating CA from Windows 2008R2 to Windows 2012 R2. There are a lot of articles about this in the internet and there shouldn't have been any problems.
Unfortunately, I’m not really Windows Admin, I’m more than * nix admin, but the task of CA migration was set - it needs to be done.
')
Under the cut, I will tell you how I went through this process and got not quite HappyEnd in the end.
So let's go ...
Initial data:
Source - Windows 2008 R2 with Root CA
Target - Windows 2012R2
Windows Server 2012R2 was already installed and minimally configured.
Initially, the action plan was as follows (shortened actions):
Agree, well, nothing complicated. And I started the implementation. In fact, there were no problems and everything went like clockwork ... The service started, Certificate Templates appeared and the certificates themselves appeared. In general, everything is OK. So I went to bed. In the morning there were no complaints about the work of CA, and therefore I thought that everything was working, and proceeded to other tasks. In the process of solving them, I needed a certificate. I created a .csr and went to vm_ca / certsvc to sign and get a certificate, and at that point an error occurred. Unfortunately, I did not take a screenshot, but it said about mismatch user information and some other errors. Well, that sailed - I thought. I started to google, but unfortunately I did not find anything intelligible.
In the evening, we decided to remove CA Windows 2012R2 and install everything in a new way and then made a mistake, instead of Enterprise CA, I chose the option Standalone CA (I already found out about my mistake later). I did all the operations again ... everything went without errors - but when I selected the Certificate Templates folder - I get Element not found, although if I select Manage, then the templates are in place.
I thought that I did not have enough rights for this CN = Certificate Templates, so with the help of ADSI Edit I gave Read for vm_ca $. Restarted CertSvc and ... result: Element not found.
Then I felt sad for 2 hours at night ... and CA does not work. I turn off CA Windows 2012R2 and restore VM CA Windows 2008R2 from snapshot. I return the server to AD (because when I try to log in under the domain account, there is an error in the relationship between the server and AD).
Well, I think ... everything will now be OK, but alas ... all the same Certificate Templates - I get Element not found. I will leave everything till the morning - for the morning of the evening is wiser.
In the morning I googled by reading all sorts of articles - I decide to reinstall CA on the old server in the hope of solving the Element Not Found problem and issuing certificates via the Web.
The process is quite simple:
With a sinking heart, I clicked on Certificate Templates - and ... I got a list - this is already a small victory. It remains to verify the work of issuing a certificate via the Web. I follow the link: vm_ca / certsvc and click on Request a Certificate and then advanced certificate request ... I specify the .csr request and get the finished certificate. Vydayu ... Restore CA happened.
Findings:
PS I will again have to try CA migration from Windows 2008R to Windows 2012R2.
I will tell you about my nightmare, which I experienced migrating CA from Windows 2008R2 to Windows 2012 R2. There are a lot of articles about this in the internet and there shouldn't have been any problems.
Unfortunately, I’m not really Windows Admin, I’m more than * nix admin, but the task of CA migration was set - it needs to be done.
')
Under the cut, I will tell you how I went through this process and got not quite HappyEnd in the end.
So let's go ...
Initial data:
Source - Windows 2008 R2 with Root CA
Target - Windows 2012R2
Windows Server 2012R2 was already installed and minimally configured.
Initially, the action plan was as follows (shortened actions):
- Make Backup CA + Private Key and copy it to a common ball for both computers.
- We deduce target from the domain and we change IP
- Snapshot server
- Change IP at source
- We go to the new Windows 2012R2 server under the administrator - enter it into the domain with the same name and assign the old IP
- We set the role of Active Directory Certificate Service (CA, CA Web Enrollment, NDES, Online Responder)
- We specify that it is Enterprise CA
- Restore CA + Private Key from backup
- Happy end
Agree, well, nothing complicated. And I started the implementation. In fact, there were no problems and everything went like clockwork ... The service started, Certificate Templates appeared and the certificates themselves appeared. In general, everything is OK. So I went to bed. In the morning there were no complaints about the work of CA, and therefore I thought that everything was working, and proceeded to other tasks. In the process of solving them, I needed a certificate. I created a .csr and went to vm_ca / certsvc to sign and get a certificate, and at that point an error occurred. Unfortunately, I did not take a screenshot, but it said about mismatch user information and some other errors. Well, that sailed - I thought. I started to google, but unfortunately I did not find anything intelligible.
In the evening, we decided to remove CA Windows 2012R2 and install everything in a new way and then made a mistake, instead of Enterprise CA, I chose the option Standalone CA (I already found out about my mistake later). I did all the operations again ... everything went without errors - but when I selected the Certificate Templates folder - I get Element not found, although if I select Manage, then the templates are in place.
I thought that I did not have enough rights for this CN = Certificate Templates, so with the help of ADSI Edit I gave Read for vm_ca $. Restarted CertSvc and ... result: Element not found.
Then I felt sad for 2 hours at night ... and CA does not work. I turn off CA Windows 2012R2 and restore VM CA Windows 2008R2 from snapshot. I return the server to AD (because when I try to log in under the domain account, there is an error in the relationship between the server and AD).
Well, I think ... everything will now be OK, but alas ... all the same Certificate Templates - I get Element not found. I will leave everything till the morning - for the morning of the evening is wiser.
In the morning I googled by reading all sorts of articles - I decide to reinstall CA on the old server in the hope of solving the Element Not Found problem and issuing certificates via the Web.
The process is quite simple:
- Remove the role of CA
- Reboot
- We are waiting for the completion of the removal process
- Add the CA role (specify CA, CA Web Enrollment, NDES, Online Responder)
- We indicate that I have an Enterprise CA and I have a private key
- We are waiting for the completion of the installation and restore all of the backup, which we did at the very beginning.
- As usual, everything goes off with a bang - without errors and the service started
With a sinking heart, I clicked on Certificate Templates - and ... I got a list - this is already a small victory. It remains to verify the work of issuing a certificate via the Web. I follow the link: vm_ca / certsvc and click on Request a Certificate and then advanced certificate request ... I specify the .csr request and get the finished certificate. Vydayu ... Restore CA happened.
Findings:
- Be sure to backup and snapshot
- Document your actions - this will help get everything back or find a mistake faster.
PS I will again have to try CA migration from Windows 2008R to Windows 2012R2.
Source: https://habr.com/ru/post/448402/
All Articles