At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
Support for Windows Server 2008 SP2 and Windows Server 2008 R2 expires on January 14, 2020. (see article "End of product support by the manufacturer (Microsoft)") If any problems occur during the migration, there is usually no support available from Microsoft.
Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.
Downgrading a Windows edition, e.g. from Windows Server Datacenter to Windows Server Standard, is not supported.
If a hardware security module (HSM) is used, it must be clarified with the manufacturer of the HSM whether its key storage provider (KSP) supports the new operating system before the in-place upgrade is performed. In addition to updating the key storage provider, it may also be necessary to update the firmware of the hardware security module.
Preparatory work
- Ensure that the Zeil hardware (physical or virtual) supports the installation of the new operating system.
- Provision of the license key for the new operating system. During the upgrade, the license key for the target operating system is required.
- Providing the installation disc of the new operating system
- Ensure physical access to the server or virtual machine configuration and console.
- Install all Windows updates for the current operating system.
- Putting the certification authority into maintenance mode. See article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode„.
- Publish a blacklist. See article "Create and publish a certificate revocation list„.
- Performing an emergency blacklist signing. See article "Perform emergency signing of certificate revocation lists„.
- Create a current backup of the Certification Authority. See article "Create a backup of a certification authority„.
Implementation of the upgrade
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
After the data medium for the new operating system has been inserted, the installation can be started.
Usually, server systems do not have an Internet connection anyway, so the option to download updates can be deselected here. However, please note that in this case the server will start up again without security updates. This will result in the remote desktop connection from a current client no longer working, since the update for the security vulnerability CVE-2018-0866 has not yet been installed.
In the next dialog the product key must be entered. Please note that the license key must match the Windows edition. If the old operating system was a Standard Edition, the new system must also be a Standard Edition.
Since certification authorities are usually installed with a graphical interface, the "Desktop Experience" option should be selected in the next dialog.
In the next dialog the license conditions are accepted in order to continue.
In the next dialog, the option "Upgrade: Install Windows and keep files, settings, and applications" must be selected so that the certification authority installation is retained. If only the option "Custom: Install Windows only (advanced)" can be selected here, either the operating system language or the operating system edition does not match.
A compatibility report is then displayed. For a certification authority, there should be no peculiarities here, so that you can continue.
This is followed by the installation of the new operating system. The server will reboot several times before it can be used again with the new operating system.
Problem solving
The server does not start after the upgrade and throws error message
0x000000C4
Windows Server 2012 and later require that the No Execute (NX) or Execute Disable (XD) bit is supported. For example, if VMWare ESXi is used for virtualization, the bit may not be passed to the guest system. In this case, the virtual machine configuration must be adjusted.
Whether the CPU supports the NX bit can be checked in advance with the Coreinfo tool from Sysinternals.
Remote desktop connection no longer possible after in-place upgrade
Most likely, remote desktop connection to the server will not be possible after the in-place upgrade. For the reason and solution see article "Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system„.
Rework
- Activate Windows, if required. After the upgrade, the server may still need to be connected to a KMS server, or the operating system may need to be activated.
- Install current Windows updates. The server starts without security updates, so they must be installed immediately.
- If you have upgraded from a certificate authority that was running on Windows Server 2008 R2 or older, you may want to adjust the serial number generation for issued certificates to the new standard. For more information, see the article "How is the serial number of a certificate formed?„.
- Perform functional test for the Certification Authority. See article "Perform functional test for a Certification Authority„.
- Create current backup. See article "Create a backup of a certification authority„.
Related links:
- Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2
- In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2
- In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016
External sources
- Windows Server 2012 upgrade may fail with error 0x000000C4 (Microsoft)
- CredSSP updates for CVE-2018-0886 (Microsoft)
6 thoughts on “In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 SP2 zu Windows Server 2012”
Comments are closed.