U-Tools: Unique Tools for Windows System Administrators
U-Move Help

Moving the Certificate Services Database

What is Certificate Services?

Note: Microsoft uses the term Certificate Services (CS) on Windows Server 2008, and it uses the term Active Directory Certificate Services (AD CS) on Windows Server 2012 and 2016. This document uses the term Certificate Services for both CS and AD CS.

A certificate server (sometimes called a Certificate Authority or CA) generates public key certificates for installation on secure web servers. A secure web server presents its certificate to visiting web browsers to prove the identity of the web server to the satisfaction of web browser. Certificates are used to encrypt the Secure Socket Layer (SSL) network protocol or the Transport Layer Security (TLS) network protocol for transmitting sensitive information such as credit card numbers. SSL/TLS runs under the HTTPS (HTTP Secure) protocol to access secure URLs such as https://secure.site.com.

Certificates are based on a “chain of trust” from the web server up to the CA. The web server presents a certificate that has been signed by the CA. The web browser compares the signature with the CA certificate previously installed in the web browser. This proves the identity of the web server to the web browser.

To create a public secure web server on the Internet, you must purchase a web-server certificate that is signed by a trusted third-party public CA such as VeriSign. Microsoft pre-installs into Windows the trusted root certificates for public CAs such as VeriSign.

For internal use your enterprise might want to act as a private CA. A private CA can sign its own certificates, for example to create internal secure web servers (not on the Internet). Microsoft's Certificate Services is designed primarily for private use. It is not meant to be used to create a public certificate for a web server on the Internet.

To generate private SSL/TLS certificates your enterprise can use Microsoft's Certificate Services to act as the private CA for your organization. Certificate Services is typically installed on only one server for the entire organization.

Note: U-Move is designed primarily to move Active Directory Domain Services (AD DS), so it operates only on a domain controller. U-Move moves Certificate Services as a courtesy to help you move to a new domain controller. U-Move will not move Certificate Services to/from a non-domain controller.

Add the Certificate Services Role

To move the Certificate Services database you must first add the AD Certificate Services role to the destination computer. (U-Move will remind you if you forget.)

Cloning: Computer name and other information is not important

Windows Server 2003 and 2008: When you install Certificate Services you will see a warning message that warns you not to change the name of the computer. You can safely ignore this warning message when cloning. When you use U-Move to clone AD, it will copy all information needed to move Certificate Services to the new computer. This includes the computer name, the Certificate Services database (C:\Windows\System32\certsrv\*), and all required private encryption keys, including those marked as non-exportable.

Windows Server 2003 and 2008: The Microsoft installer for Certificate Services will ask you several questions. For example you will be asked the name of your organization. For each question type in a dummy answer and click Next. The answers are not important because U-Move will copy all of the CA information from the source computer, overwriting all of your answers.

Manual migration of Certificate Services

The Microsoft TechNet article Active Directory Certificate Services Migration Guide describes how to manually migrate the Certificate Services database.

When cloning AD, U-Move will automatically copy all information needed to move the entire Certificate Services database to the destination computer. This includes the CA database and all private encryption keys.

How to Move the Certificate Services Database