How do I migrate Password Policy?
With the retirement of Server 2012/r2, a question that has risen in popularity is how I migrate my password policy to another server to continue using the product without any issues?
The simple answer is not a lot needs to be done since all of the configuration is stored in Group Policy and Active Directory. You would copy over the MSI related to the component you are moving to a different server:
Where are these files located?
In C:\temp\SpecopsPasswordPolicy_Setup_(version number)\Products\SpecopsPasswordPolicy where Password Policy Domain Administration is currently installed.
Password Policy Domain Administration
Copy and Install the SpecopsPasswordPolicyAdmin-x64.msi on the new server.
Password Policy Arbiter
Copy and Install the SpecopsArbiter-x64.msi on the new server.
If during this migration have a new Domain Controller:
Copy and Install the SpecopsPasswordPolicySentinel-x64.msi to the new Domain Controller and run the msi and restart the machine to complete the installation.
If you are moving the PDC Emulator role:
Make sure the sentinel is installed on both the current PDC and what will be the new PDC. From there, transfer the role(s) as normal (https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles). Once the role(s) have been transferred, restart both DCs and verify the PDC and Web API are both showing the correct server. If the Web API is still shown as disabled, you can add/adjust the registry setting in this article and restart the Specops Password Sentinel Service, which should then show the Web API status listed as “OK”. This will also cause a new certificate to be automatically generated on the new PDC.
