This document contains instructions for extending the Windows Server 2012 Base Configuration Test Lab Guide (TLG) to include an offline root certification authority and install an online enterprise subordinate certification authority on the computer APP1 from the Base Configuration TLG. In this guide you will deploy a two-tier PKI hierarchy, configure a certificate revocation list (CRL) distribution point (CDP), automatically deploy certificates to the domain, and utilize a certificate to enable Secure Sockets Layer (SSL) communication with the APP1 web site.
Hello Daisy Zhou - does this procedure- -cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx apply to Active directory 2012 and 2016 functional levels as well? The reason I ask is that it is an older article based on 2008 R2 technology. Thanks in advance for your answer.
Hello. I was following your steps for instaling the Cisco WLC and setting up the different roles and services. Are some of your procedures for Windows 2008 R2? I ask because I have windows 2008 standard and I can not get to the same screens.
Thank you for your reply. Thank you patience and please forgive me for not having your level of expertise. Which preferred certificate should I click on? I have uninstalled and tried your procedure from scratch and keep getting to the same impass. I have a screenshot of what I am talking about on my open posted question on Experts-Exchange.com. It is frustrating to know that the answer is right in front of me and I can not see it. I am using Windows 2008 Standard 64 bit. Thank you for your assistance.
Thank you for your patience and please forgive me for not having your level of expertise. Which preferred certificate should I click on? I have uninstalled and tried your procedure from scratch and keep getting to the same impass. I have a screenshot of what I am talking about on my open posted question on Experts-Exchange.com. It is frustrating to know that the answer is right in front of me and I can not see it. I am using Windows 2008 Standard 64 bit. Thank you for your assistance.
I have something similar to this but I wanted to see if someone can comment on this: i have a CA server on an old 2008 R2 enterprise domain controller which I want to retire I also have two additional one is 2012 R2 and the other one is a 2016. all roles are managed by the 2012 DCis it advisable to just install CA services on both 2012 and 2106 DCs and retire the 2008 DC or do i need to migrate the DB from the 2008 into one of the other two domain controllers?
I am having the same idea like Bhav. I have a 2008DC with CA Role installed. I want to take the CA Role out and put it on 2019 Server with different hostname. Could you tell me how to change the server name in the registry backup?
Hi Pete, this is a great article. Thank u for replying to all guys. I have a question ref migration from CA 2008 r2 to 2016. After we remove the CA role from the 2008 r2 dc and install on 2016. We want to keep the old server as it is a DC for maybe a few weeks after the migration. Is it necessary to power off the server after CA migration or can we simply keep it running without the CA role and act as a backup DC? Appreciated
Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go. However, it is good practice to follow the proper procedures to backup the Certificate Authority in case it needs to be resurrected in the future on a new server. To backup the database and certificate key, open a command prompt (as Administrator), and perform the following:
In this example we are using ADFS 2.0 on Windows Server 2008 R2. On Windows Server 2012 the steps will be the same except for the installation, because you install AD FS role via the server manager, not via the installation package as on Windows 2008 server r2.
[For Microsoft Windows 2008R2/7] Make sure that you have SHA-2 code signing support installed. Normally, this component is included in Microsoft Windows updates. For more information, see Microsoft Docs.
Paul,I have a unique problem. Azure AD Connect was installed on a 2008 R2 server. I recently did an in place upgrade on the 2008 R2 server. After doing so the Azure AD Connect still runs and functions but I am unable to access any of the configuration files or open the Azure AD Connect application.
Moving forward, we want to go to our certification authority, make sure we have it installed on a Windows version that knows how to deal with CNG (Windows 2008 or later). Now that we know the CNG capabilities exist in the box, we still need to see if the certification authority is using such new capabilities (KSP) or just using the old ones (CSP).
Say for example you have a root CA running Windows 2003, and you want to migrate that to Windows 2008 R2 operating system. You can easily backup the CA private key, database, and registry configuration, format the box with Windows 2008 R2, and start installing new certification authority on it. During the installation, you will be asked if you want to create a new key pairs or use existing ones. You would choose to use existing ones of course. Windows 2008 R2 will realize that those keys from your backup, are generated using a legacy CSP, so Windows 2008 R2 will use the same legacy CSP to host your CA private key. Hence, you will be running Windows 2008 R2 that can use KSP, but instead it will use legacy CSP. 2b1af7f3a8