Forem: Thiyagarajan Thangavel

laps-local account cyberark sync

Thiyagarajan Thangavel — Tue, 02 Dec 2025 06:00:18 +0000

As discussed during our call, we’ve identified that the LAPS setting is being applied through the local group policy, as confirmed by the RSoP results. However, when we checked the Local Group Policy Editor, the setting does not appear to be explicitly configured.
Additionally, we verified the registry and found that no LAPS-related keys are defined either locally or via domain GPO. This leaves us in a bit of a gray area, as we’re unsure of the actual source applying the policy — possibly a default configuration from the OS image or another mechanism.
Given this uncertainty, we’re evaluating whether applying the registry setting to disable LAPS will effectively override the current behavior. We’d appreciate any insights or recommendations you might have on how best to proceed.

Registry key for disabled LAPS: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\LAPS\Config]
"BackupDirectory"=dword:00000000

Note: I have used the attached script for LAPS verification that.

• ✅ No LAPS registry settings found — This means LAPS is not configured via registry (likely not applied via domain GPO or local GPO).
• ✅ Local Group Policy file exists — So there might be some local GPO settings, but not necessarily LAPS.

Steps to get certificate from Internal CA server

Thiyagarajan Thangavel — Tue, 02 Dec 2025 05:54:40 +0000

Steps to get certificate from Internal CA server

Create a text file and save the format of the file as “.inf”. For instance “policy.inf”.
a. We need to submit the inf file in order to generate the CSR through “Certreq” command.
The content of the policy file should be in specific format. Attached here the sample policy file for reference.
a.
Once the policy file is created, open command prompt as admin and type the below command:
a. Certreq –new

b. For instance,
c. Certreq –new policy.inf request.req

A CSR file will be generated.
Use the following command to submit the CSR to an internal CA to get the certificate:

a. certreq -submit -attrib "CertificateTemplate:"

b. For instance,
c. certreq -submit -attrib "CertificateTemplate:WebServerSSL" request.req certificate.cer

It will prompt you to select the CA server. Once the CA server is selected, a new certificate will be generated.

Cleanup of Inactive AD Accounts (User & Computer) – Over 1 Year Old

Thiyagarajan Thangavel — Tue, 02 Dec 2025 05:53:34 +0000

Idea
To improve Active Directory (AD) security hygiene, performance, and compliance with ARPAN or internal IT policies by identifying and removing inactive user and computer accounts that haven’t been used for over one year.
Problem Statement
Over time, user and computer accounts in Active Directory become stale due to employee attrition, decommissioned machines, or system account redundancies. These dormant accounts pose the following risks and issues:

Security Risks: Inactive accounts are vulnerable to misuse or compromise.
License Wastage: Consumes unnecessary licenses in environments like Microsoft 365.
Administrative Overhead: Clutters AD with obsolete entries, complicating management.
Compliance Gaps: May violate policies such as ARPAN which mandate timely account lifecycle management. Solution Implement a PowerShell-based automated process that:

Identifies all user and computer accounts that have not logged on in over 365 days.
Exports these accounts to CSV files for review and audit purposes.
Deletes the reviewed accounts safely (with optional backup and logging steps).

PowerShell Script (Summary):
Benefits

Enhanced Security: Minimizes attack surface by eliminating dormant accounts.
Compliance Assurance: Meets ARPAN and internal audit standards for account lifecycle.
Operational Efficiency: Reduces clutter in AD, improving admin productivity.
Cost Optimization: Frees up licenses and reduces overhead in systems like Office 365 or Azure AD. # Load AD module Import-Module ActiveDirectory

Set time threshold

$timeThreshold = (Get-Date).AddDays(-365)

--- Export Inactive User Accounts ---

$inactiveUsers = Get-ADUser -Filter {LastLogonDate -lt $timeThreshold -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object Name, SamAccountName, LastLogonDate

$inactiveUsers | Export-Csv -Path "C:\ADCleanup\InactiveUsers.csv" -NoTypeInformation
Write-Host "Inactive users exported to InactiveUsers.csv"

--- Export Inactive Computer Accounts ---

$inactiveComputers = Get-ADComputer -Filter {LastLogonDate -lt $timeThreshold -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object Name, SamAccountName, LastLogonDate

$inactiveComputers | Export-Csv -Path "C:\ADCleanup\InactiveComputers.csv" -NoTypeInformation
Write-Host "Inactive computers exported to InactiveComputers.csv"

Optional: Review before deleting

Uncomment the following lines to perform deletion

Delete Inactive Users

$inactiveUsers | ForEach-Object {
Remove-ADUser -Identity $_.SamAccountName -Confirm:$false
}

Delete Inactive Computers

$inactiveComputers | ForEach-Object {
Remove-ADComputer -Identity $_.SamAccountName -Confirm:$false
}
Write-Host "Inactive users and computers deleted."

>

Script for site & subnet creation in bulk

Thiyagarajan Thangavel — Fri, 14 Nov 2025 13:23:29 +0000

Load Active Directory module

Import-Module ActiveDirectory

Define CSV path

$CSVPath = "C:\Scripts\Subnets.csv"

Import CSV

$SubnetData = Import-Csv -Path $CSVPath

Extract site and linked site from first row (assumes consistent site across rows)

$SiteName = $SubnetData[0].SiteName
$Location = $SubnetData[0].Location
$LinkedTo = $SubnetData[0].LinkedTo
$SiteLink = "$SiteName-$LinkedTo-Link"

try {
# Create AD Site if not exists
if (-not (Get-ADReplicationSite -Filter "Name -eq '$SiteName'")) {
New-ADReplicationSite -Name $SiteName
Write-Host "✅ Created Site: $SiteName"
}

# Loop through all subnets and associate with the site
foreach ($row in $SubnetData) {
    $Subnet = $row.Subnet
    if (-not (Get-ADReplicationSubnet -Filter "Name -eq '$Subnet'")) {
        New-ADReplicationSubnet -Name $Subnet -Site $SiteName -Location $Location
        Write-Host "✅ Added Subnet $Subnet to Site $SiteName"
    } else {
        Write-Host "ℹ️ Subnet $Subnet already exists."
    }
}

# Create Site Link if not exists
if (-not (Get-ADReplicationSiteLink -Filter "Name -eq '$SiteLink'")) {
    New-ADReplicationSiteLink -Name $SiteLink -SitesIncluded $SiteName,$LinkedTo -Cost 100 -ReplicationFrequencyInMinutes 180
    Write-Host "✅ Created Site Link: $SiteLink between $SiteName and $LinkedTo"
} else {
    Write-Host "ℹ️ Site Link $SiteLink already exists."
}

}
catch {
Write-Host "❌ Error: $($_.Exception.Message)"
}

Script for GP result Comparison

Thiyagarajan Thangavel — Fri, 14 Nov 2025 13:22:17 +0000

Define paths to the two GPResult HTML files

$File1 = "C:\Reports\GPResult1.html"
$File2 = "C:\Reports\GPResult2.html"

Load HTML content

$Html1 = Get-Content $File1 -Raw
$Html2 = Get-Content $File2 -Raw

Convert HTML to XML

[xml]$Xml1 = $Html1
[xml]$Xml2 = $Html2

Helper function to extract GPOs and settings

function Get-GPODataFromHtml($Xml) {
$tables = $Xml.getElementsByTagName("table")
$gpoTable = $tables | Where-Object { $.innerText -like "Applied Group Policy Objects" }
$settingTables = $tables | Where-Object { $.innerText -match "Security Settings|Registry|Scripts|Folder Redirection" }

$gpoList = @()
$settingList = @()

if ($gpoTable.Count -gt 0) {
    $rows = $gpoTable[0].getElementsByTagName("tr")
    foreach ($row in $rows) {
        $cells = $row.getElementsByTagName("td")
        if ($cells.Count -gt 0) {
            $gpoList += $cells[0].innerText.Trim()
        }
    }
}

foreach ($table in $settingTables) {
    $rows = $table.getElementsByTagName("tr")
    foreach ($row in $rows) {
        $cells = $row.getElementsByTagName("td")
        if ($cells.Count -ge 2) {
            $settingList += "$($cells[0].innerText.Trim()) = $($cells[1].innerText.Trim())"
        }
    }
}

return @{GPOs = $gpoList; Settings = $settingList}

}

Extract data

$Data1 = Get-GPODataFromHtml $Xml1
$Data2 = Get-GPODataFromHtml $Xml2

Compare GPOs

$GPOsOnlyIn1 = Compare-Object $Data1.GPOs $Data2.GPOs -PassThru | Where-Object { $.SideIndicator -eq "<=" }
$GPOsOnlyIn2 = Compare-Object $Data1.GPOs $Data2.GPOs -PassThru | Where-Object { $.SideIndicator -eq "=>" }

Compare Settings

$SettingsOnlyIn1 = Compare-Object $Data1.Settings $Data2.Settings -PassThru | Where-Object { $.SideIndicator -eq "<=" }
$SettingsOnlyIn2 = Compare-Object $Data1.Settings $Data2.Settings -PassThru | Where-Object { $.SideIndicator -eq "=>" }

Output differences

Write-Host "`n🔍 GPOs only in File 1:"
$GPOsOnlyIn1 | ForEach-Object { Write-Host " - $_" }

Write-Host "`n🔍 GPOs only in File 2:"
$GPOsOnlyIn2 | ForEach-Object { Write-Host " - $_" }

Write-Host "`n🔧 Settings only in File 1:"
$SettingsOnlyIn1 | ForEach-Object { Write-Host " - $_" }

Write-Host "`n🔧 Settings only in File 2:"
$SettingsOnlyIn2 | ForEach-Object { Write-Host " - $_" }

Optional: Export to CSV

$Report = @()
foreach ($item in $SettingsOnlyIn1) {
$Report += [PSCustomObject]@{Source="File1"; Setting=$item}
}
foreach ($item in $SettingsOnlyIn2) {
$Report += [PSCustomObject]@{Source="File2"; Setting=$item}
}
$Report | Export-Csv "C:\Reports\GPO_Differences.csv" -NoTypeInformation
Write-Host "`n📁 Differences exported to C:\Reports\GPO_Differences.csv"

Domain controller decommission SOP

Thiyagarajan Thangavel — Fri, 14 Nov 2025 13:19:42 +0000

3 INTRODUCTION
The objective of this document is to provide Domain controller decommission preparation and decommissioning steps.

3.1 OBJECTIVE
The Scope of this document includes the pre and post check of the uninstallation of Active directory services and validation steps.

3.2 AUDIENCE
This document will help Wintel AD Team (MBG PS) and who will go to embrace this technology.

4 DISASTER RECOVERY CHALLENGES

No disaster recovery process will be facilitated by this document.

5 PLANNING OF DOMAIN CONROLLER DECOMMISSION
• The prerequisite steps for safe domain controller decommission.

• Isolate the Domain Controller
• Check Domain Controller authentication request.
• Check Domain Controller Role.
• Check the DNS Role.
• Check is any other roles are holding by the DC.
• Domain controller cooling period.

5.1 ISOLATE THE DOMAIN CONTROLLER
Just create temporary AD site and move the Domain Controller which you want to remove, make sure the temporary AD site only has the DC Subnet, so that there won’t be any client authentication reaching the DC.
Also check the DC SRV records are pointing to new temporary AD site and delete if any record pointing from old user site, this should be dynamic and no manual action required, just make sure SRV records in-place as excepted.
5.2 CHECK DOMAIN CONTROLLER AUTHENTICATION REQUEST
Make sure auditing been enabled for all logon and logoff, check for Event ID 540 for Windows Server 2003 DC and Event ID 4624 for Windows server 2012 r2, windows 2008 R2 and windows 2016 in the decommissioning Domain Controller security event log to find any users have logged on the site from any workstation and even you will be able to see is any application uses the DC using static configuration.
5.3 CHECK DOMAIN CONTROLLER ROLE.
Check is any FSMO roles are holding on this DC by “netdom query fsmo”, move the roles to other Domain Controllers.
5.4 CHECK THE DNS ROLE.
Check is any member server/computer or DHCP Scope uses the Domain Controller IP as a primary DNS server, just change this to other DNS Server on the Domain
5.5 CHECK IS ANY OTHER ROLES ARE HOLDING BY THE DC.
Roles like DFSR, file server, print server and any other server role, move all the roles to different live Server.

5.6 DOMAIN CONTROLLER COOLING PERIOD.
Just Shut down the Domain Controller for a week time before permanent decommission/powered off, if any application server, users, client system uses the DC will be failed and you will be notified by them, you can fix the issue by re-pointing to other working Domain Controller
In worst case you can power on the Domain Controller and keep live till the issue been fixed, this will minimize the impact.

6 STEPS TO DEMOTE THE DOMAIN CONTROLLER ROLE
The below recommended steps for removing a domain controller role from the server.

Step 1. Open Server Manager

Step2. Select manage -> “Remove Roles and Features” Click next on the “Before you begin page.”

Step 3. On the server selection page, select the server you want to demote and click the next button.
In this example, I’m demoting server “srv-2016”

Step 4. Uncheck “Active Directory Domain Services” on the Server Roles page.

When you uncheck, you will get a popup to remove features that require Active Directory Domain Services.

If you will plan on using the server to manage Active Directory, then keep these installed. In this example, I plan to decommission the server so I will remove these management tools.

Step 5. Select Demote this domain controller.

On the next screen make sure you DO NOT select “Force the removal of this domain controller”. You should only select this if you are removing the last domain controller in the domain.
You can also change credentials on this screen if needed.

Click Next

Step 6. On the warnings screen, it will give you a warning this server hosts additional roles. If you have client computers using this server for DNS you will need to update them to point to a different server since the DNS role will be removed.
Check the box “Proceed with removal and click next.

Step 7. If you have DNS delegation, you can select “Remove DNS delegation and click next. In most cases, you will not have DNS delegation and can uncheck this box.

Step 8. Now put in the new administrator password. This will be for the local administrator account on this server.

Step 9. Review options and click “Demote.”

There is a “view script” button that generates a PowerShell script to automate all the steps we just walked through. If you have additional domain controllers to remove you could use this script.

When you click demote, the server will be demoted and rebooted. Once it reboots the server will be a member server. You can log in with domain credentials to the server.

7 POST CLEAN-UP ACTIVITY

Step 1. On another domain controller or computer with RSAT tools open “Active Directory Users and Computers”
Go to the domain Controllers folder. Right click the domain controller you want to remove and click delete.

On the next screen select the box “Delete this Domain Controller anyway” and click delete”

If the DC is a global catalog server, you will get an additional message to confirm the deletion. I’m going to click Yes.

Clean up in active AD accounts

Thiyagarajan Thangavel — Tue, 11 Nov 2025 16:48:39 +0000

Cleanup of Inactive AD Accounts (User & Computer) – Over 1 Year Old
Idea
To improve Active Directory (AD) security hygiene, performance, and compliance with ARPAN or internal IT policies by identifying and removing inactive user and computer accounts that haven’t been used for over one year.
Problem Statement
Over time, user and computer accounts in Active Directory become stale due to employee attrition, decommissioned machines, or system account redundancies. These dormant accounts pose the following risks and issues:

Security Risks: Inactive accounts are vulnerable to misuse or compromise.
License Wastage: Consumes unnecessary licenses in environments like Microsoft 365.
Administrative Overhead: Clutters AD with obsolete entries, complicating management.
Compliance Gaps: May violate policies such as ARPAN which mandate timely account lifecycle management. Solution Implement a PowerShell-based automated process that:

Identifies all user and computer accounts that have not logged on in over 365 days.
Exports these accounts to CSV files for review and audit purposes.
Deletes the reviewed accounts safely (with optional backup and logging steps).

PowerShell Script (Summary):
Benefits

Enhanced Security: Minimizes attack surface by eliminating dormant accounts.
Compliance Assurance: Meets ARPAN and internal audit standards for account lifecycle.
Operational Efficiency: Reduces clutter in AD, improving admin productivity.
Cost Optimization: Frees up licenses and reduces overhead in systems like Office 365 or Azure AD.

Power shell script:

Load AD module

Import-Module ActiveDirectory

Set time threshold

$timeThreshold = (Get-Date).AddDays(-365)

--- Export Inactive User Accounts ---

$inactiveUsers = Get-ADUser -Filter {LastLogonDate -lt $timeThreshold -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object Name, SamAccountName, LastLogonDate

$inactiveUsers | Export-Csv -Path "C:\ADCleanup\InactiveUsers.csv" -NoTypeInformation
Write-Host "Inactive users exported to InactiveUsers.csv"

--- Export Inactive Computer Accounts ---

$inactiveComputers = Get-ADComputer -Filter {LastLogonDate -lt $timeThreshold -and Enabled -eq $true} -Properties LastLogonDate |
Select-Object Name, SamAccountName, LastLogonDate

$inactiveComputers | Export-Csv -Path "C:\ADCleanup\InactiveComputers.csv" -NoTypeInformation
Write-Host "Inactive computers exported to InactiveComputers.csv"

Optional: Review before deleting

Uncomment the following lines to perform deletion

Delete Inactive Users

$inactiveUsers | ForEach-Object {
Remove-ADUser -Identity $_.SamAccountName -Confirm:$false
}

Delete Inactive Computers

$inactiveComputers | ForEach-Object {
Remove-ADComputer -Identity $_.SamAccountName -Confirm:$false
}
Write-Host "Inactive users and computers deleted."

>

AD Backup and Recovery

Thiyagarajan Thangavel — Tue, 11 Nov 2025 16:46:29 +0000

INTRODUCTION Active Directory (AD) is a vital component in most enterprise networks. It manages authentication, authorization, and directory services. Ensuring reliable backup and restore procedures for AD is crucial for business continuity and disaster recovery. 3.1. OBJECTIVE This white paper presents a detailed, task-specific, step-by-step execution plan for restructuring Active Directory (AD) domain and trust relationships. Using a practical example with domain and server names, it guides administrators through assessment, planning, migration, and validation.

3.2. AUDIENCE
This document does not cover the details for other dependent technologies.

IMPORTANCE OF ACTIVE DIRECTORY BACKUPS A corruption or accidental deletion in AD can result in a complete halt of IT operations. Regular backups ensure: • Disaster recovery readiness

Disaster recovery readiness is about possessing the resilience to maintain reliable access to the business's digital data, whatever happens.

• Protection against accidental or malicious deletions

Regularly back up important files to separate locations, ensuring there's a fallback if data is accidentally lost or corrupted. A regular backup schedule is crucial for protecting essential files from accidental modifications or deletions

• Quick recovery of critical identity infrastructure

To ensure a quick recovery of critical identity infrastructure within Active Directory (AD), organizations should implement comprehensive backup and recovery strategies, including automated forest recovery and granular object restoration. This involves utilizing tools and techniques that enable rapid restoration of AD to a functional state following a cyberattack or another outage.

TYPES OF BACKUPS IN ACTIVE DIRECTORY • System State Backup: A System State Backup in Active Directory (AD) creates a copy of critical components to allow for recovery of domain controllers and the entire AD environment in case of a disaster or system failure. This backup includes the AD database, system files, registry, SYSVOL folder, and other essential data. It's crucial for restoring domain controllers, recovering from failures, and ensuring the overall resilience of the AD infrastructure.

• Full Server Backup:
A full server backup copies all data on a server to another storage location. This comprehensive backup method ensures a complete point-in-time snapshot of the server, making it ideal for disaster recovery scenarios where minimizing downtime is crucial. While it provides the fastest recovery times, it also requires the most storage space and resources. Includes OS, files, and system state

• Bare Metal Recovery:

Bare metal recovery (BMR), also known as bare metal restore or bare metal backup, is a data recovery process that allows you to restore a computer system to a usable state from a backup, even if the system's original operating system or other software is corrupted or missing. Essentially, it involves restoring the entire system, including the operating system, applications, and data, to a new or empty (bare metal) hard drive.

PERFORMING A SYSTEM STATE BACKUP

6.1.1. STEPS:

Open Run Dialog

• Press Windows + R or search for Run in the Start menu.
• Type wbadmin.msc and hit Enter.

Launch Windows Server Backup Utility
• In the utility window, click Backup Once in the right-hand Actions panel.
• Click Next.

Select Backup Configuration
• Choose Full server to back up everything (recommended for first-time backups).
• Or select Custom to choose specific files, volumes, or applications.
• Click Next after selection.

Configure Volume Shadow Copy Options (for Custom backups only)
• Select between VSS full back up or VSS copy backup if applicable.
Choose Backup Destination
• Select either Local drives or Remote shared folder.
• If Local, specify the destination drive.
• If Remote, enter the shared folder path and credentials if prompted.
• Click Next.

Confirm and Start Backup
• Review your settings.
• Click Backup to initiate the process.

RESTORE SERVER BACKUP USING WINDOWS SERVER BACKUP

Below steps proved to restore the server backup.
7.1 STEPS FOR SERVER RECOVERY

Open the Backup Utility
• Launch Server Manager
• Navigate to Tools → Windows Server Backup
Initiate Recovery
• In the Actions pane (right side), click Recover
Select Backup Location
Choose the location of the backup:
• This server – if the backup is stored locally
• Another location – for network share or external drive
• Click Next
Choose Backup Date and Time
• Select the specific backup instance by date and time
• Click Next
Specify Recovery Type
• Choose what to recover:
• Files and folders
• Volumes
• System state
• Bare metal recovery
Set Recovery Options
• Select the recovery destination:
• Original location – overwrites existing data
• Alternate location – restores to a new location
• Adjust additional settings if required
Confirm and Start Recovery
• Review all configurations
• Click Recover to begin restoration
BEST PRACTICES FOR AD BACKUP & RECOVERY

Best Practice Description
Daily System State Backups Automate with task scheduler
Off-site Backup Storage Protect against ransomware and local disasters
Document DSRM credentials Store securely in a vault
Periodic Restore Testing Ensure backups are valid and restorable
Use Backup Software with Reporting Track backup success and failures

TESTING AND VALIDATING BACKUP AND RESTORE

• Perform quarterly restore drills
• Validate restored data (OU, user accounts)
• Test login, replication, DNS services post-restore
• Document steps and any issues found

COMMON ISSUES AND TROUBLESHOOTING

Issue Solution
DSRM password unknown Reset using NTDSUTIL
Backup fails due to VSS Restart Volume Shadow Copy service
Slow restore Use faster storage or network for backups
Missing backups Confirm schedule, permissions, and storage space

APPENDIX Active Directory is central to IT operations. With proper backup and tested recovery procedures, organizations can mitigate outages and resume operations quickly during an incident. APPENDIX: DIAGRAMS AND POWERSHELL COMMANDS +------------------+ Backup +--------------------+ | Domain Controller| ------------> | Backup Target | +------------------+ | (Disk/Remote Share)| | +--------------------+ | ^ | System State Recovery | +------------------------------------+ | v +------------------------------+ | Boot into DSRM, Restore AD | | Authoritative if necessary | +------------------------------+

Diagram: AD Backup and Restore Workflow

Sample PowerShell Commands:

Install backup feature

Install-WindowsFeature Windows-Server-Backup

Manual system state backup

wbadmin start systemstatebackup -backupTarget:D: -quiet

List available backup versions

wbadmin get versions

Restore from backup

wbadmin start systemstaterecovery -version: -backupTarget: -quiet

11.1. ACRONYMS, ABBREVIATIONS, TERMS AND DEFINITIONS

Abbreviation
Definition Abbreviation
Definition
AD Active Directory DC Domain controller
ADDT Active Directory Domain and Trust

DNS Domain name space

Table 3. Abbreviations
11.2. REFERENCE LINKS

https://www.manageengine.com/products/ad-manager/sem/windows-active-directory-administration-tool.html?camid=19561812382&adgid=146774103722&kwd=active%20directory%20software&matchtype=p&adid=644736381298&network=g&adposition=&loc=9148438&placement=&target=&gad_source=1&gad_campaignid=19561812382&gbraid=0AAAAAChA-cv3RHe7xnorgTuO97Y-HrtaQ&gclid=Cj0KCQjwyIPDBhDBARIsAHJyyVj_URlnu4k9hLi9eu7hrfjms9CIm8lM3atsVy8d7X7NcgDSikEdusgaAoTwEALw_wcB

https://learn.microsoft.com/en-us/windows/win32/ad/backing-up-and-restoring-an-active-directory-server

https://blog.netwrix.com/how-to-backup-active-directory

11.3. LIST OF TABLES
Table 1. Version History 3
Table 2. Trademarks 4
Table 3. Abbreviations 9

Migration Guide: Microsoft ADCS to Sectigo Certificate Manager

Thiyagarajan Thangavel — Tue, 11 Nov 2025 16:42:42 +0000

Absolutely, Thiyagarajan. Below is a complete, step-by-step migration guide in plain text for moving from Microsoft ADCS to Sectigo Certificate Manager. You can copy this into a Word document and format it as needed. Every step is explicitly detailed — including clicks, commands, and validation — so anyone following this guide can execute the migration without missing a single action.

📘 Migration Guide: Microsoft ADCS to Sectigo Certificate Manager

Author: Thiyagarajan

Date: 11-Nov-2025

Purpose: Migrate from Microsoft Active Directory Certificate Services (ADCS) to Sectigo Certificate Manager (SCM) for modern, automated certificate lifecycle management.

🧭 Table of Contents

Project Overview
Pre-Migration Assessment
Sectigo Platform Setup
Sectigo Connector Deployment
Template Mapping
Enrollment Policy Configuration
Certificate Migration
Validation & Monitoring
Rollback Plan
Appendices

1️⃣ Project Overview

Goal: Replace legacy ADCS with Sectigo’s cloud-native PKI platform
Scope: Includes user, device, server, and service certificates
Benefits: Automation, visibility, compliance, and reduced operational overhead

2️⃣ Pre-Migration Assessment

Step 1: Inventory ADCS Components

Log in to your ADCS server
Open Certification Authority console
Document:
- CA hierarchy (Root, Subordinate, Issuing)
- Certificate templates
- Validity periods
- Enrollment methods

Step 2: Export Template List

Open PowerShell as Administrator
Run:

  certutil -catemplates > C:\ADCS_Templates.txt

Step 3: Identify Certificate Usage

Review:
- IIS bindings
- VPN authentication
- Wi-Fi 802.1x
- RDP and smartcard logons

Step 4: Backup ADCS

Open Server Manager
Go to Tools > Certification Authority
Right-click the CA > All Tasks > Back Up CA
Include:
- Private key
- CA database
- Configuration

3️⃣ Sectigo Platform Setup

Step 1: Create Sectigo Tenant

Go to Sectigo Portal
Click Sign Up or Request Demo
Complete onboarding form
Receive admin credentials via email

Step 2: Configure Roles

Log in to Sectigo Certificate Manager
Go to Settings > Roles
Create:
- Admin
- Approver
- Auditor

Step 3: Enable Integrations

Navigate to Integrations > Directory Services
Enable:
- Active Directory
- Azure AD (if hybrid)
- SCEP/ACME (for devices)

4️⃣ Sectigo Connector Deployment

Step 1: Download Connector

Log in to Sectigo
Go to Downloads > AD Connector
Download the installer

Step 2: Install Connector

Run installer on a domain-joined Windows Server
Accept license agreement
Choose installation path
Click Install

Step 3: Register Connector

After install, open Sectigo AD Connector
Enter:
- Sectigo API credentials
- Domain name
- OU scope
Click Register
Wait for sync confirmation

5️⃣ Template Mapping

Step 1: Review ADCS Templates

Open C:\ADCS_Templates.txt
Note:
- Template name
- Key usage
- Subject name format
- Validity period

Step 2: Create Equivalent Templates in Sectigo

Go to Templates > Create New
Match:
- Key length (e.g., 2048-bit RSA)
- Usage (e.g., Client Auth, Server Auth)
- SAN format (e.g., DNS, UPN)
Click Save

Step 3: Assign Templates to Groups

Go to Directory Sync > Groups
Assign templates to:
- Users
- Computers
- Service accounts

6️⃣ Enrollment Policy Configuration

Step 1: Configure Autoenrollment via GPO

Open Group Policy Management
Create or edit GPO
Navigate to:

Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Enable:
- Certificate Services Client – Auto-Enrollment
- Set to Enabled and Renew expired certificates
Link GPO to target OU
Run:

  gpupdate /force

Step 2: Configure Mobile & Device Enrollment

Go to Sectigo > Enrollment Policies
Enable:
- SCEP for routers/switches
- ACME for Linux servers
- Intune integration for mobile devices

7️⃣ Certificate Migration

Step 1: Issue New Certificates from Sectigo

Go to Certificates > Issue
Select template
Choose target user/device
Click Issue

Step 2: Update Bindings

For IIS:
- Open IIS Manager
- Go to Sites > Bindings
- Edit HTTPS binding
- Select new Sectigo certificate
For VPN/Wi-Fi:
- Update NPS or RADIUS server certificate

Step 3: Revoke Legacy Certificates

Open ADCS Console
Go to Issued Certificates
Right-click > Revoke

8️⃣ Validation & Monitoring

Step 1: Validate Certificate Installation

On client machine, run:

  certutil -store my

Confirm Sectigo-issued certificate is present

Step 2: Validate GPO Application

Run:

  gpresult /h C:\gpresult.html

Open HTML and confirm autoenrollment applied

Step 3: Monitor Sectigo Dashboard

Go to Dashboard > Certificate Lifecycle
Check:
- Expiring certificates
- Failed enrollments
- Audit logs

9️⃣ Rollback Plan

Step 1: Retain ADCS in Standby

Do not uninstall ADCS for 30–60 days
Keep CRL publishing active

Step 2: Export Sectigo Certificates

Go to Certificates > Export
Save as .pfx with password

Step 3: Rebind Legacy Certificates (if needed)

Open IIS or NPS
Re-select ADCS-issued certificate

Step 4: Notify Stakeholders

Send rollback notice with reason and timeline

🔚 Appendices

Sectigo API Reference
PowerShell scripts for template export
GPO autoenrollment examples
Sectigo connector troubleshooting guide
Contact info for Sectigo support

Would you like help turning this into a formatted Word document with headers, footers, and a cover page? I can also help you build a companion runbook or validation checklist.