CA server name is not the same as the FQDN of the server hosting the CA. Default common name naming scheme in ADCS is <Domain Name>-<CAHostname>-C . For example, Contoso-w2k12r2-CA (CA server name) Contoso is the internal domain name, CA host name is w2k12r2 .

The server new server hostname does not have to have the same name as the old server.

Old Windows 2012 R2 server : W2K12R2-CA
New Windows Server 2019 : W2K19-CA

Step 1: Backup CA database and configuration from W2K12R2-CA

1. Login to Navigate to Server Manager -> AD CS
2. Right click on the CA server name ->All Tasks-> Backup CA

3. The backup wizard will open
4. Select both the check boxes and provide the backup path for the file to be stored and click Next

5. Provide a password to protect the private key and CA certificate file and click Next to continue

6. Click Finish to complete the process

Step 2: Backup CA registry settings

1. Run “regedit” to go to registry settings
2. Navigate to the registry key  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc and right click on the Configuration key and click Export

3. Provide the file name and save the back up file

You should now have the backup of the files.

Step 3: Uninstall CA service from W2K12R2-CA

1. Go to the Server Manager on W2K12R2-CA -> Manager->Remove Roles and Services and Click Next
2. Remove all the CA roles first otherwise if you try removing ADCS it will error out

3. After removing the CA roles, then launch the wizard again and select “Active Directory Certificate Service”-> A dialog box will pop-up, select “Remove Features”-> Next

4. Restart the server to finish the uninstall

Step 4: Install CA on Windows Server 2019: W2K19-CA

1. Login to W2K19-CA and navigate to Server Manager->Add Roles and Features and Click Next->Next

2. Select Active Directory Certificate Servers, click in the pop up window to acknowledge the required features that are need to be added and click Next.

3. On the Role Services page, select Certificate Authority and Certificate Authority Web Enrollment, click in the pop up window to accept the required features that are needed to be added and click Next to continue

4. Review the brief description about IIS and click next to continue

5. Leave the default and click Next

6. Click Install to begin installation process

7. Close the wizard once it is complete

Step 5: Configure AD CS

1. Navigate to Server Manger -> AD CS
2. Click on the warning icon on the top right hand corner and Choose “Configure Active Directory Certificate Services-> Click Next

3. In the Role Configuration wizard, ensure the proper credential for Enterprise Admin is show and click Next

4. Select Certificate Authority and Certification Authority Web Enrollment and click Next

5. Make sure to select Enterprise CA is selected and click Next

6. Select Root CA as the CA type and click next to continue
7. Select Use existing private key and select a certificate and use its associated private key and click Next

8. Click Import in the AD CS Configuration window
9. Select the key backup during the backup process from W2K12R2-CA. Browse and select the key from the backup we made earlier and provide the password we used for protection and click OK.

10. With the key successfully imported and select the imported certificate and click next to continue

11. Leave the default certificate database path and click next to continue

12. Click on Configure to proceed with the configuration process

13. Close the configuration wizard once complete

Step 6: Restore CA Backup

1. Navigate to Server Manager-> Tools -> Certificate Authority
2. Right click on server node -> All Tasks -> Restore CA

3. A windows will pop up confirming to stop Active Directory Certificate Services and click OK

4. Click Next to start Certificate Authority Restore Wizard

5. Click both check boxes to restore and provide the backup path for the file to be restored from

6. Provide the password used to protect private key during the backup process and click Next

7. Click Finish to complete the restore process
8. Click “Yes” to restore Active Directory Certificate Services

Step 7: Restore Registry Value
If the new server has different hostname in our case it is W2K19-CA, we need to open up the backed up registry file in notepad and change the CAServerName entry to reflect the name of new server W2K19-CA and save

1. Navigate to the registry file, right click -> Merge -> Yes ->OK

Step 8: Reissue Certificate Template

1. Under Server Manager, navigate to Tools > Certification Authority
2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue

3. From the certificate templates list click on the appropriate certificate template and click OK