Migrating Root Certificate Authority from Windows 2008 R2 DC to another Windows 2008 R2 DC

Migrating Root Certificate Authority from Windows 2008 R2 DC to another Windows 2008 R2 DC

This article provides guidance for migrating a Root certificate authority (CA) from a windows 2008 R2 Domain Controller to another Windows Server 2008 R2 Domain controller.


  1. Backup CA database and private key
  2. Removing the CA role from the source machine
  3. Installing CA role in destination machine using backed up private key
  4. Restoring CA database
  5. Configuring Type 2 Certificate Template
  6. Configuring Autoenrollment

NOTE: Source and destination machine names can be different, but the CA name must remain same.

 Backup Certificate Authority database and private key:

You can back up the CA database and private key by using the Certification Authority snap-in or by using Certutil.exe at a command prompt. 1. These are issued certificates-


2. We will be backing up CA database using CA snap-in

  1. Select Private Key and CA certificate along with CA database and logs


  1. You need to secure the private key  using password


  1. After completing backup steps, the Active Directory Certificate Services service (Certsvc) should be stopped to prevent issuance of additional certificates. Before adding the CA role service to the destination server, the CA role service should be removed from the source server.


Removing CA Role from Source Machine:

It is important to remove the Certificate Authority (CA) role service from the source server after completing backup procedures and before installing the Certificate Authority (CA) role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

  1. Remove the role from server manager wizard

  1. Restart the machine to complete the removal

Note: Copy the CA Backup folder to the destination computer

Install Certificate Authority (CA) Role on the Destination Domain Controller:

  1. Install the CA Role from Server Manager 2. Select Enterprise >> click Next >> ROOT CA 3. Select Use existing Private Key along with Select a certificate and use associated private key



4. Import the certificate file (PFX) from the backup folder and enter credentials you used earlier to secure the file.



5. Select default settings and install the Role


  1. After Installation please verify the ROOT certificate must get imported into the computer’s certificate store along with its private key.


Restoring the CA database and configuration on the destination server

  1. Log on to the destination server by using an account that is a CA administrator.
  2. Start the Certificate Authority snap-in.
  3. Right-click the node with the CA name, point to All Tasks, and then click Restore CA.
  4. On the Welcome page, click Next.
  5. On the Items to Restore page, select Certificate database and certificate database log.
  6. Click Browse. Navigate to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).                          (Note: Do not select the Database folder. Select its parent folder)
  7. Click Next and then click Finish.
  8. Click Yes to start the CA service (certsvc).
  9. Verify all the settings are restored.


NOTE: We won’t be using the CDP and AIA path of source server, CDP and AIA publishing path will point to the current server (restored server) automatically, as variable is used to calculate the server name. All the certificates issued onwards will be having CRLs published to restored server’s LDAP location.


Following is the certificate issued by source server (DC01) having CRL publishing location set to source server. We need to override the issued certificates from source server with the new certificates issued by destination (restored) server. We need to configure auto enrollment on TYPE 2 certificate for the templates which were used by source CA.



Configuring Type 2 Certificate template:

Following are the original templates used by source Certificate Authority (CA) and we need to create Type-2 certificate templates (also known as duplicate templates) in order to supersede the original templates.


Configuring Type 2 Templates:

  1. Right Click Certificate Templates >> Manage
  2. Right Click the Template and Click Duplicate Template


3. Select Windows server 2008 template, as we don’t have any issuing CA running earlier version OS.

4. Rename the Duplicate Template

5. Click Superseded Templates and Add original template

6. Select Auto Enrollment for Domain Users

7. Click OK and close the Certificate Template window.

8. Issue the created template in Certificate Authority (CA)


9. Configure Auto Enrollment in Group Policy for Users with following settings

10. Click OK.

11. When User policy will be updated existing certificate of user will get superseded by new certificate having new CRL location pointing to new CA.


12. Similarly we can replace other Computer and Domain Controller certificate Templates.

Hope you enjoyed the article!!

Stay Tuned for other exciting articles!

Leave a comment

Your email address will not be published. Required fields are marked *