How do I migrate Password Policy?
With the retiring of Server 2012/r2 fast approaching a question that has risen in popularity is how I migrate my password policy to another server to continue using the product without any issues?
The simple answer is not a lot needs to be done since all of the configuration is stored in Group Policy and Active Directory.
The first thing to look at is if you are on the latest version. If the answer is no, then the recommended suggestion is to upgrade by downloading the latest version and following the upgrade guide from the links below. If you are on version 7.5 or below, you will need a new license key.
https://specopssoft.com/support/en/password-policy/download.htm
https://specopssoft.com/support/en/password-policy/upgrade.htm
If you are on the latest version or choose to not upgrade, all you would need to do is install the Password Policy domain administration tools and/or the arbiter onto the new server which you can do by either running the version of the setup assistant for the version you want on the server or by looking in the C:\temp\SpecopsPasswordPolicy_Setup_(version number)\Products\SpecopsPasswordPolicy where the admin tools is currently installed, which is generally where the installation is run and the files are extracted.
From there you can copy the needed components and copy them over to the individual servers you would like to move the software too.
If you have a new Domain Controller:
Copy the SpecopsPasswordPolicySentinel-x64.msi to the new Domain Controller and run the msi and restart the machine to complete the installation.
If you are moving the PDC Emulator role:
Make sure the sentinel is installed on both the current PDC and what will be the new PDC. From there, transfer the role(s) as normal (https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles). Once the role(s) have been transferred, restart both DCs and verify the PDC and Web API are both showing the correct server. If the Web API is still shown as disabled, you can add/adjust the registry setting in this article and restart the Specops Password Sentinel Service, which should then show the Web API status listed as “OK”.
If you want to install the Password Policy Domain Administration on a new server:
Copy the SpecopsPasswordPolicyAdmin-x64.msi to the new server and run the msi. No restart is needed.
If you are moving the Arbiter:
Copy the SpecopsArbiter-x64.msi to the new server and run the msi. Once the arbiter is installed, you will need to register it using the following instructions: Password Policy Arbiters. No restart is needed.
You will then need to reach out to obtain a new API key if you do not already have one.