In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Support for Windows Server 2008 SP2 and Windows Server 2008 R2 expires on January 14, 2020. (see article "End of product support by the manufacturer (Microsoft)") If any problems occur during the migration, there is usually no support available from Microsoft.

Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.

Downgrading a Windows edition, e.g. from Windows Server Datacenter to Windows Server Standard, is not supported.

If a hardware security module (HSM) is used, it must be clarified with the manufacturer of the HSM whether its key storage provider (KSP) supports the new operating system before the in-place upgrade is performed. In addition to updating the key storage provider, it may also be necessary to update the firmware of the hardware security module.

Preparatory work

Implementation of the upgrade

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

After the data medium for the new operating system has been inserted, the installation can be started.

Usually, server systems do not have an Internet connection anyway, so the option to download updates can be deselected here. However, please note that in this case the server will start up again without security updates. This will result in the remote desktop connection from a current client no longer working, since the update for the security vulnerability CVE-2018-0866 has not yet been installed.

In the next dialog the product key must be entered. Please note that the license key must match the Windows edition. If the old operating system was a Standard Edition, the new system must also be a Standard Edition.

Since certification authorities are usually installed with a graphical interface, the "Desktop Experience" option should be selected in the next dialog.

In the next dialog the license conditions are accepted in order to continue.

In the next dialog, the option "Upgrade: Install Windows and keep files, settings, and applications" must be selected so that the certification authority installation is retained. If only the option "Custom: Install Windows only (advanced)" can be selected here, either the operating system language or the operating system edition does not match.

A compatibility report is then displayed. For a certification authority, there should be no peculiarities here, so that you can continue.

This is followed by the installation of the new operating system. The server will reboot several times before it can be used again with the new operating system.

Problem solving

The server does not start after the upgrade and throws error message
0x000000C4

Windows Server 2012 and later require that the No Execute (NX) or Execute Disable (XD) bit is supported. For example, if VMWare ESXi is used for virtualization, the bit may not be passed to the guest system. In this case, the virtual machine configuration must be adjusted.

Whether the CPU supports the NX bit can be checked in advance with the Coreinfo tool from Sysinternals.

Remote desktop connection no longer possible after in-place upgrade

Most likely, remote desktop connection to the server will not be possible after the in-place upgrade. For the reason and solution see article "Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system„.

Rework

  • Activate Windows, if required. After the upgrade, the server may still need to be connected to a KMS server, or the operating system may need to be activated.
  • Install current Windows updates. The server starts without security updates, so they must be installed immediately.
  • If you have upgraded from a certificate authority that was running on Windows Server 2008 R2 or older, you may want to adjust the serial number generation for issued certificates to the new standard. For more information, see the article "How is the serial number of a certificate formed?„.
  • Perform functional test for the Certification Authority. See article "Perform functional test for a Certification Authority„.
  • Create current backup. See article "Create a backup of a certification authority„.

Related links:

External sources

en_USEnglish