How to Migrate a Windows Server 2012 R2 Certificate Authority to a New Server

Before you migrate or restore CA on another server, it is recommended to remove Active Directory Certificate Services (AD CS) role from Windows Server 2012 R2. In this way, the configuration data of CA will also be removed. For removing AD CS role, log on to CA as the administrator of the domain.

Run PowerShell as an administrator and type Remove-WindowsFeature Adcs-Cert-Authority and press enter.

For restoring or migrating CA, it needs to be reinstated on the server with same computer name as it was installed before. The active directory names should be unique, thus you have to remove the original server from the domain and AD account from that computer must also be deleted.

Run PowerShell as an administrator and type “Remove-Computer contosoadcs1; Restart-Computer”.

Replace contosoadcs1 with the computer name of your CA and press enter.

Log in as a domain administrator, open PowerShell console on a domain controller and type “Remove-ADComputer -Identity contosoadcs1”.

Replace contosoadcs1 with the computer name of your CA and press enter.

Before the installation of AD CS role, the machine needs to be named and joined to AD domain. The backup files created in previous steps also need to be copied to the new server. Log on as a local administrator to the Windows Server 2012 R2.

Run PowerShell as administrator and in the console, type “Rename-Computer contosoadcs1”.

Replace contosoadcs1 with server name and press Enter.

Type restart-computer and press enter. This will restart the server. Again, open the PowerShell console and type “Add-Computer -DomainName ad.contoso.com”.

Replace ad.contoso.com with AD domain name and press Enter. When prompted, enter username and password of the domain administrator.

Type restart-computer and restart the server so that the changes can be applied.

After renaming the computer, joining to the domain, now we can install AD CS role. Use a domain administrator account to log on to Windows Server 2012 R2. Run PowerShell as administrator and in the console, type “Add-WindowsFeature ADCS-Cert-Authority –IncludeManagementTools” and Press Enter.

When the AD CS role has installed, type Install-AdcsCertificationAuthority –CAType EnterpriseRootCA -CertFile “C:\CAbackup\AD-CONTOSOADCS1-CA.p12” -CertFilePassword (read-host “Set user password” -assecurestring) and press Enter. When prompted, type the password for the file and confirm that you want to configure the CA.

This command will install an Enterprise Root CA with all the default settings and use the certificate backed up from the source CA.

Change “C:\CAbackup\AD-CONTOSOADCS1-CA.p12” to the path and file name of your backed up certificate, and replace “*********” with the password for the .p12 file.