In-place upgrade of a certification authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.

If a hardware security module (HSM) is used, it must be clarified with the manufacturer of the HSM whether its key storage provider (KSP) supports the new operating system before the in-place upgrade is performed. In addition to updating the key storage provider, it may also be necessary to update the firmware of the hardware security module.

Downgrading a Windows edition, e.g. from Windows Server Datacenter to Windows Server Standard, is not supported.

Preparatory work

Ensure that the Zeil hardware (physical or virtual) supports the installation of the new operating system.
Provision of the license key for the new operating system. During the upgrade, the license key for the target operating system is required.
Providing the installation disc of the new operating system
Ensure physical access to the server or virtual machine configuration and console.
Install all Windows updates for the current operating system.
Putting the certification authority into maintenance mode. See article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode„.
Publish a blacklist. See article "Create and publish a certificate revocation list„.
Performing an emergency blacklist signing. See article "Perform emergency signing of certificate revocation lists„.
Create a current backup of the Certification Authority. See article "Create a backup of a certification authority„.

Implementation of the upgrade

After the data medium for the new operating system has been inserted, the installation can be started.

Usually, server systems do not have an Internet connection anyway, so the option to download updates can be deselected here. However, please note that in this case the server will start up again without security updates. This will result in the remote desktop connection from a current client no longer working, since the update for the security vulnerability CVE-2018-0866 has not yet been installed.

In the next dialog the product key must be entered. Please note that the license key must match the Windows edition. If the old operating system was a Standard Edition, the new system must also be a Standard Edition.

Since certification authorities are usually installed with a graphical interface, the "Desktop Experience" option should be selected in the next dialog.

In the next dialog the license conditions are accepted in order to continue.

In the next dialog, it is essential to select the "Keep personal files and apps" option so that the certificate authority installation is retained. If only the option "Nothing" can be selected here, either the operating system language or the operating system edition does not match.

Windows Server 2016 explicitly states that in-place upgrades are not recommended. If you want to continue, you have to confirm this notice.

The last dialog displays a summary of the selected options and then starts the installation.

This is followed by the installation of the new operating system. The server will reboot several times before it can be used again with the new operating system.

Problem solving

No possibility to keep apps and files during upgrade

Downgrading the Windows editions is not supported. In this case, only the "Nothing" option is available in the "Choose what to keep" dialog. It must not be continued under any circumstances, otherwise a new installation of the operating system will take place and all existing data will be deleted.

Certificate Authority Service does not start after In-Place Upgrade

When you log in for the first time after the in-place upgrade, you will notice that the Certificate Authority service has not started and cannot be started.

The service cannot be started, either because it is disabled or because it has not enabled devices associated with it. 
0x422 (WIN32: 1058 ERROR_SERVICE_DISABLED)

This is a known, albeit curious problem and can be solved by restarting the server once.

Remote desktop connection no longer possible after in-place upgrade

Most likely, remote desktop connection to the server will not be possible after the in-place upgrade. For the reason and solution see article "Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system„.

Rework

Activate Windows, if required. After the upgrade, the server may still need to be connected to a KMS server, or the operating system may need to be activated.
Install current Windows updates. The server starts without security updates, so they must be installed immediately.
If you have upgraded from a certificate authority that was running on Windows Server 2008 R2 or older, you may want to adjust the serial number generation for issued certificates to the new standard. For more information, see the article "How is the serial number of a certificate formed?„.
Perform functional test for the Certification Authority. See article "Perform functional test for a Certification Authority„.
Create current backup. See article "Create a backup of a certification authority„.

In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016