At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.
If a hardware security module (HSM) is used, it must be clarified with the manufacturer of the HSM whether its key storage provider (KSP) supports the new operating system before the in-place upgrade is performed. In addition to updating the key storage provider, it may also be necessary to update the firmware of the hardware security module.
Downgrading a Windows edition, e.g. from Windows Server Datacenter to Windows Server Standard, is not supported.
According to the official documentation from Microsoft about In-Place Upgrade the direct upgrade from Windows Server 2012 to 2019 is not supported, but it is technically possible because the installation wizard does not prohibit this combination. Nevertheless, this is not recommended for productive systems.
Preparatory work
- Ensure that the Zeil hardware (physical or virtual) supports the installation of the new operating system.
- Provision of the license key for the new operating system. During the upgrade, the license key for the target operating system is required.
- Providing the installation disc of the new operating system
- Ensure physical access to the server or virtual machine configuration and console.
- Install all Windows updates for the current operating system.
- Putting the certification authority into maintenance mode. See article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode„.
- Publish a blacklist. See article "Create and publish a certificate revocation list„.
- Performing an emergency blacklist signing. See article "Perform emergency signing of certificate revocation lists„.
- Create a current backup of the Certification Authority. See article "Create a backup of a certification authority„.
Implementation of the upgrade
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
After the data medium for the new operating system has been inserted, the installation can be started.
Usually, server systems do not have an Internet connection anyway, so the option to download updates can be deselected here. However, please note that in this case the server will start up again without security updates. This will result in the remote desktop connection from a current client no longer working, since the update for the security vulnerability CVE-2018-0866 has not yet been installed.
In the next dialog the product key must be entered. Please note that the license key must match the Windows edition. If the old operating system was a Standard Edition, the new system must also be a Standard Edition.
Microsoft has edited the installation wizard for Windows Server 2019 as of August 2020 so that it no longer prompts for a license key. The reason for this was apparently that the previous installation wizards aborted the upgrade during an in-place upgrade due to an error with the license key. It is therefore preferable to use an installation medium from August 2020 or later, which does not have this error.
Since certification authorities are usually installed with a graphical interface, the "Desktop Experience" option should be selected in the next dialog.
In the next dialog the license conditions are accepted in order to continue.
In the next dialog, it is essential to select the "Keep personal files and apps" option so that the certificate authority installation is retained. If only the option "Nothing" can be selected here, either the operating system language or the operating system edition does not match.
The last dialog displays a summary of the selected options and then starts the installation.
This is followed by the installation of the new operating system. The server will reboot several times before it can be used again with the new operating system.
Problem solving
No possibility to keep apps and files during upgrade
Downgrading the Windows editions is not supported. In this case, only the "Nothing" option is available in the "Choose what to keep" dialog. It must not be continued under any circumstances, otherwise a new installation of the operating system will take place and all existing data will be deleted.
The upgrade fails with error message "The installation failed in the SAFE_OS phase with an error during SET_PRODUCT_KEY operation".
Windows Server 2019 disks prior to August 2020 contain a bug in the installation routine that causes the upgrade to abort and generate the following error:
0x80070490 0x2000E
The installation failed in the SAFE_OS phase with an error during SET_PRODUCT_KEY operation
In this case, it should be ensured that one uses a data medium from August 2020 or later.
Remote desktop connection no longer possible after in-place upgrade
This error should not occur if an up-to-date installation medium from August 2020 is used, as previously recommended.
Most likely, remote desktop connection to the server will not be possible after the in-place upgrade. For the reason and solution see article "Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system„.
Rework
- Activate Windows, if required. After the upgrade, the server may still need to be connected to a KMS server, or the operating system may need to be activated.
- Install current Windows updates. The server starts without security updates, so they must be installed immediately.
- If you have upgraded from a certificate authority that was running on Windows Server 2008 R2 or older, you may want to adjust the serial number generation for issued certificates to the new standard. For more information, see the article "How is the serial number of a certificate formed?„.
- Perform functional test for the Certification Authority. See article "Perform functional test for a Certification Authority„.
- Create current backup. See article "Create a backup of a certification authority„.
Related links:
- Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
- In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2
2 thoughts on “In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2012 R2 oder 2016 zu Windows Server 2019”
Comments are closed.