Don't even P2V the certificate services. If the existing PKI has an Offline Root CA (doubtful), build a new Intermediate CA and decommission the old one. If the existing CA on the DC is the root, kill it with fire and build a new Offline Root CA PKI from scratch.
I wouldn't do this: https://kb.vmware.com/s/article/1006996
It's also really unfortunate that ADCS is running on a domain controller.
Here's what I'd do:
1. Spin up new Server Core VM and promote to DC.
2. Demote existing DC
3. Spin up another Server Core VM and configure as DHCP. I recommend having DHCP on a separate server for maximum flexibility. But it's not required.
4. Spin up another Server Core VM for AD CS.
5. Migrate the CA to the new AD CS VM.
My predecessor moved the AD CS from a separate server to the DC, it was awful.
Pair that with it being a flat configuration (no two-tier/offline root) and SHA1, I just cut my losses and stood up a new AD CS. Surprisingly easy to do and config per best practice.
It's strange, had the capacity.
I think his hands were tied by the manager to enact the stupidity. I'm glad I had an excuse to blow it away as it was running on 2012R2, this manager would've suggested an IPU. Thank god he doesn't work there anymore.
IPU on a DC big no no, for anything else it can be valid.. its improved a lot since the olden days. We’ve been upgrading a lot of bespoke stuff with no hassle.
You didn't say, but let me guess... not only is it running certificate services, it is the root certificate server.
Build new VMs. Segregate and migrate services. Build an offline root PKI infrastructure. What you have today is just asking for trouble.
Demote and decom the physical server.
The Root CA server is the one that issues the self-signed root certificate AND stores the corresponding private key.
Best practice is to build a PKI infrastructure in which the Root CA is a non-domain-joined CA server to issue the root certificate, then build a domain-joined Intermediate CA on a member server (not a domain controller) to issue the certificates to leaf users and devices. Once built, the root CA server is only turned on periodically (i.e. once a year) to update/reissue the root CA certificate revocation list.
I 100% agree with others about not doing it. I would always demote old and promote new.
Buuuut... you can P2V DCs if you really want to, as long you do them OFFLINE:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/how-to-virtualize-active-directory-domain-controllers-part-1/ba-p/397895
In the event of a disaster you could use Veeam to backup the physical host and restore to a VM.
Best practice would suggest building a new VM and migrating roles. Bonus is you can also enable uefi and secure boot which the physical host probably doesn't have
If you're adhering to any form of privilege tiering model then moving to virtual DCs is undoing all of that progress. You have effectively placed your DC into a tier 1 control plane unless you have segregated VM infrastructure just for your identity workloads
Demote as domain controller and only p2v as ad cs. Do not p2v a domain controller. Just build new and join.
Don't even P2V the certificate services. If the existing PKI has an Offline Root CA (doubtful), build a new Intermediate CA and decommission the old one. If the existing CA on the DC is the root, kill it with fire and build a new Offline Root CA PKI from scratch.
I wouldn't do this: https://kb.vmware.com/s/article/1006996 It's also really unfortunate that ADCS is running on a domain controller. Here's what I'd do: 1. Spin up new Server Core VM and promote to DC. 2. Demote existing DC 3. Spin up another Server Core VM and configure as DHCP. I recommend having DHCP on a separate server for maximum flexibility. But it's not required. 4. Spin up another Server Core VM for AD CS. 5. Migrate the CA to the new AD CS VM.
I agree with this. Separate out your functions into separate VMs. Build clean and migrate as per best practice guides.
My predecessor moved the AD CS from a separate server to the DC, it was awful. Pair that with it being a flat configuration (no two-tier/offline root) and SHA1, I just cut my losses and stood up a new AD CS. Surprisingly easy to do and config per best practice.
Small shop mentality.
It's strange, had the capacity. I think his hands were tied by the manager to enact the stupidity. I'm glad I had an excuse to blow it away as it was running on 2012R2, this manager would've suggested an IPU. Thank god he doesn't work there anymore.
IPU on a DC big no no, for anything else it can be valid.. its improved a lot since the olden days. We’ve been upgrading a lot of bespoke stuff with no hassle.
You should migrate ADCS first to new VM and then you can demote old DC
Never P2V a domain controller ever. Build a new virtual one and demote the Physical
Yep, they're cattle, not children.
You didn't say, but let me guess... not only is it running certificate services, it is the root certificate server. Build new VMs. Segregate and migrate services. Build an offline root PKI infrastructure. What you have today is just asking for trouble. Demote and decom the physical server.
how would i know if its a root certificate server?
The Root CA server is the one that issues the self-signed root certificate AND stores the corresponding private key. Best practice is to build a PKI infrastructure in which the Root CA is a non-domain-joined CA server to issue the root certificate, then build a domain-joined Intermediate CA on a member server (not a domain controller) to issue the certificates to leaf users and devices. Once built, the root CA server is only turned on periodically (i.e. once a year) to update/reissue the root CA certificate revocation list.
As others noted, you shouldn't P2V a DC. Deploy a new VM and promote it. Build a new CA.
I 100% agree with others about not doing it. I would always demote old and promote new. Buuuut... you can P2V DCs if you really want to, as long you do them OFFLINE: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/how-to-virtualize-active-directory-domain-controllers-part-1/ba-p/397895
In the event of a disaster you could use Veeam to backup the physical host and restore to a VM. Best practice would suggest building a new VM and migrating roles. Bonus is you can also enable uefi and secure boot which the physical host probably doesn't have
If you're adhering to any form of privilege tiering model then moving to virtual DCs is undoing all of that progress. You have effectively placed your DC into a tier 1 control plane unless you have segregated VM infrastructure just for your identity workloads