Migrating the AD Certificate Authority Service server role from 2012 R2 to 2019 — ‘template information could not be loaded’ error

Jack Roper
2 min readMar 5, 2021

I recently had a 2012R2 server with AD Certificate Services installed, the server was to be discontinued, so we needed to rebuild on a 2019 server.

It didn’t go quite to plan — so I thought I would share my experience!

The 2019 server was spun up in Azure, and I followed this guidance:



Steps are broadly as follows:

Step 1: Backup Windows Server 2012 R2 certificate authority database and its configuration

Step 2: Backup CA Registry Settings

Step 3: Uninstall CA Service from Windows Server 2012 R2

Step 4: Install Windows Server 2019 Certificate Services

Step 5: Configure AD CS

Step 6: Restore CA Backup

Step 7: Restore Registry info

NOTE: If you are installing to a machine with a different name, edit the registry backup and replace the old server name with the new one before merging the registry entry.

Step 8: Reissue Certificate Templates

After the move was complete we tested by domain joining a machine but the certificate was not issued correctly. On browsing to the ‘Certificate templates’ section I could see the below ‘template information could not be loaded’ error

This was resolved by firing up ADSIEdit on a domain controller and following the steps found in the TechNet article below to recreate the missing pkiEnrollmentService object.


I also granted permission to the new server following this advice here:




Jack Roper

A blog about DevOps & Cloud Tech. Specializing in Terraform, Kubernetes, Azure & Azure DevOps! ☁️