Link to home
Start Free TrialLog in
Avatar of BSModlin
BSModlinFlag for United States of America

asked on

Removing Certificate Services to run DCPROMO

I am trying to demote my SBS2003 server.  I have moved all services and data off to anbother server, and have a new functional DC/GC running.  When I run DCPROMO to demote the old server I get:

Before you can install or remove Active Directory, you must remove Certificate Services.

How can I move this to another server?

I currently have valid SSL certs on a web server and my Exchange 2007 server.  Will they be impacted?

Please help ASAP!
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

How to move a CA off of a DC:
http://support.microsoft.com/kb/555012
http://windowsitpro.com/article/articleid/97565/moving-a-certificate-authority-ca-to-another-dc.html

Just to save some typing, here are some recommendations:
https://www.experts-exchange.com/questions/24501876/MIGRATION-of-CERTFICATE-SERVICES.html


>>Will they be impacted?
Make sure to publish a fresh CRL before doing anything with the CA - this will give you the maximum timeframe to recover.  Also, go into the Certification Authorities MMC and right click CAName (the name of your CA) - All Tasks - Backup CA - follow the wizard and choose to backup the private key and the CA database (do not choose incremental).

If you can set up a new box with the same name as the CA you are decomissioning, or rejoin this box as a member server, then you can restore the CA onto this same box.  The name of the box is important - including domain membership.  This is precisely one of the top reasons why I recommend never installing the CA on a DC - it should preferably be installed on a dedicated box / VM.

Otherwise, you can maintain the old CRL by extending the validity period prior to decom to be equal to the validity period of the CA cert expiration date (as no issued certs will be valid past that date).  You can then work on migrating your environment over to the new PKI.
Avatar of BSModlin

ASKER

I have read all the links and am a bit confused...  I was planning on decommissioning the current DC holding the Cert services, formatting it, and installing Server 2008.  Then promoting it to be a DC, but with a new name.  With that in mind, can you PLEASE outline the tasks I will need to perform to get this done?

Also, what are the potential implications of messing this up?  What will happen?  Can I perform these tasks during production hours?
I have found this walkthru on the web....
http://windowsitpro.com/article/articleid/97565/moving-a-certificate-authority-ca-to-another-dc.html

Will this work for me?

What additional considerations will I need if the new CA Server is 2008 Server ENT.?
ASKER CERTIFIED SOLUTION
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I noticed that you said "upgrade your OS".  I planned on formatting and re-installing.  Will that be an issue? The original server was SBS 2003.  I recently ran the Transition Pack to bring the server to 2003 Server Standard Edition.  I want to format, and install Server 2008 ENT 64-Bit edition.  How does this change your walkthru?
As long as the new installation has the same server name and will have the same domain name after all is done, shouldn't be an issue.  

I think that since you are doing a clean install instead of an upgrade that the followup tasks that would be necessary for an upgrade may not need to be done.  I will look into this a little bit further, but if nothing else I will post that in a few minutes for what needs to be done just in case.  Shouldn't affect the primary install anyways, it would be followup tasks after the CA has been restored and is functional.

A few other side notes I thought of in the meantime:
If you are going to be upgrading your AD as part of this, do that prior to installing the CA as well to avoid follow up tasks.

Make sure to open the Certificate Templates MMC (certtmpl.msc) after CA is up and running to update AD with the new templates.  If you attempt to issue new certs prior to that, the new templates likely will not be there.  You may need to do this anyways even if not changing AD level (hopefully is already at least 2003 native mode).
Ok, great info... Will I be able to take care of all this during production hours?  Will it affect production at all?
Okay, here is the article that talks about upgrade issues from Standard to Enterprise Edition OS.
http://support.microsoft.com/kb/967332

This was an issue with the SKU that you installed as.  I'm not sure on a retail copy, but for volume license you use the same install media and just select which kind of OS you are installing as an early step in the OS installation.  Apparently upgrading that after the initial 2008 install does not update the SKU reference in the registry.  This issue shouldn't apply since you are doing a clean install.

>>Will I be able to take care of all this during production hours?  Will it affect production at all?

The CA shouldn't be an issue as long as the CRL is all good you should be fine.

My personal opinion here, but if you are planning on upgrading a DC during production hours you're nuts.  If this isn't the first 2008 DC you've rolled out, then I suppose maybe you could get away with it since all the AD changes and such would already have been done, and that's where the scariness is.  I wouldn't worry about the CA so much - the DC, however, is another story - that's up to you, your experience with this process, and your comfort level in relation to the DC tasks.

One last thing you should check prior to doing this is the Issued Certifictes in the CA database to make sure that there aren't any certs that are about to expire within a couple days of doing this (anything autoenrolled that is still online probably renewed 6 weeks before, by default, so only look at the manually issued certs).  You can filter the Issued certs results based on certificate expiration date being greater than now and less than a week from now.  Don't add anything else unless you have a lot of results - the filter for the CA is pretty touchy in some areas (especially template names).
ok, so I need to publish a new CRL before I do anything, correct?  If so, what is the procedure for this?
Run from cmd prompt:
certutil -crl

Open %systemroot%\system32\certsrv\certenroll directory and locate the .crl file and copy to the CDP locations.

To determine your CDP locations, open PKIView.msc (from 2003 resource kit if you don't have it installed) and expand out your pki and select your CA, then the AIA and CDP points will be listed on the right.  The AIA is for the cert to go to, the CDP is for the CRL to go to.  Right now you only need to worry about the CDP.  If there is one for LDAP, do 'certutil -dspublish filename.crl'

Side note, but the AIA will only be a concern some day down the line when you need to renew your CA cert - if you don't track that you want to set a calendar reminder to renew it - to determine when, look at the cert templates you use to determine the validity period and do it 6 months before that for researching, with an implementation goal of 1 month prior (e.g. if you only issue 1 year certs, plan to start researching how to renew 18 months prior to expiration with an implementation target of 13 months or more).
Passing thought - was the 2003 DC upgraded from 2000 or not?  If not no worries, if so you may need to check to determine what the windows directory was named (is it c:\windows\ or c:\winnt\ - should be windows).
I ran the command, and opened the correct directory and copied the file.  When I open the PKIVIEW the location is a LDAP Name.  Where do I go to paste?  I am confused. Sorry!
for LDAP run 'certutil -dspublish FILENAME.crl'
This is the error I get:

H:\>certutil -dspublish "Structured Asset Services.crl"
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
Could not load Certificate or CRL from file (The system cannot find the file spe
cified. 0x80070002 (WIN32: 2))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

H:\>
The file has spaces........
do you need to supply the path?  or it is at "H:\Structured Asset Services.crl"?
I don't think the spaces matter, but you can rename it if you think it is being a problem.
That worked! I am going to uninstall Cert Service tomorrow morning, demote, re-install, promote, and re-install Cert Services.  I will reply back with results!  Thank you for your help! Reply with any additional info you think I might need!  Thanks again!
OK, I have successfully demoted, re-installed server 2008, promoted to DC, installed Certificate Services, and restored the private key and database files.  Everything "seems" to be successful, but how can I verify that all is well with the Cert Services migration?
Make a backup copy of the existing CRL.
Issue a new CRL and distribute to the CDP locations (all of them).
Pull up an SSL page or something that uses a cert and make sure it doesn't pop an error.

You can also check the CA MMC under Issued Certificates and make sure you still have a bunch of certs from before the upgrade.