Removing Certificate Services to run DCPROMO

BSModlin
BSModlin used Ask the Experts™
on
I am trying to demote my SBS2003 server.  I have moved all services and data off to anbother server, and have a new functional DC/GC running.  When I run DCPROMO to demote the old server I get:

Before you can install or remove Active Directory, you must remove Certificate Services.

How can I move this to another server?

I currently have valid SSL certs on a web server and my Exchange 2007 server.  Will they be impacted?

Please help ASAP!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ParanormasticCryptographic Engineer

Commented:
How to move a CA off of a DC:
http://support.microsoft.com/kb/555012
http://windowsitpro.com/article/articleid/97565/moving-a-certificate-authority-ca-to-another-dc.html

Just to save some typing, here are some recommendations:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24501876.html


>>Will they be impacted?
Make sure to publish a fresh CRL before doing anything with the CA - this will give you the maximum timeframe to recover.  Also, go into the Certification Authorities MMC and right click CAName (the name of your CA) - All Tasks - Backup CA - follow the wizard and choose to backup the private key and the CA database (do not choose incremental).

If you can set up a new box with the same name as the CA you are decomissioning, or rejoin this box as a member server, then you can restore the CA onto this same box.  The name of the box is important - including domain membership.  This is precisely one of the top reasons why I recommend never installing the CA on a DC - it should preferably be installed on a dedicated box / VM.

Otherwise, you can maintain the old CRL by extending the validity period prior to decom to be equal to the validity period of the CA cert expiration date (as no issued certs will be valid past that date).  You can then work on migrating your environment over to the new PKI.

Author

Commented:
I have read all the links and am a bit confused...  I was planning on decommissioning the current DC holding the Cert services, formatting it, and installing Server 2008.  Then promoting it to be a DC, but with a new name.  With that in mind, can you PLEASE outline the tasks I will need to perform to get this done?

Also, what are the potential implications of messing this up?  What will happen?  Can I perform these tasks during production hours?

Author

Commented:
I have found this walkthru on the web....
http://windowsitpro.com/article/articleid/97565/moving-a-certificate-authority-ca-to-another-dc.html

Will this work for me?

What additional considerations will I need if the new CA Server is 2008 Server ENT.?
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Cryptographic Engineer
Commented:
That's still a little too much.  This one would be a bit closer:
How to move a CA to another server:
http://support.microsoft.com/kb/298138

Is the old OS 2003 Ent and the new OS 2008 Ent?  Or was the old standard edition?  That will matter - not a show stopper, but extra work is required if changing editions, just let me know.

Here is the high level process:
1. Backup the CA database and private key, and issue a new CRL as described in my last post.  Also, run 'certutil -backupDB' and 'certutil -backupKey'.  Place a copy of these on a removeable media (floppy, flash drive, etc.) - this is your 'things went really bad and the backup didnt' work' copy that you can use to keep the CRL from expiring indefinitely.  Note that if the CRL expires, none of your certs will work.  Since it contains the CA private key - keep this locked up under very tightly controlled access.
2. Backup server including system state to new tape.
3. Verify the backup.
4. Uninstall certificate services - keep the CA database.
5. Run DCPROMO to demote DC.
6. Personal recommendation is to run another fresh backup here.
7. Do whatever prep work you may need to do for migrating your DC, etc. to 2008.  Nothing special for the CA here - just don't rename the machine or you will need to install a new CA instead of migrating it.
8. Upgrade OS to 2008 Ent.  Any followup stuff you need to do.
9. Promote to DC and any associated work.  Note - do not rename the domain from original or you will need to install a new CA instead of migrating it.
10. Install the Active Directory Certificate Services role.  During the install, you will be able to tell it that you have an existing private key and database file.  If nothing else - you can open the CA MMC at the end and choose to Restore CA from the same area that you backed up in step 1.  Note - the CAName must be exactly the same as before.


As followup, I would recommend issuing a new CRL (certutil -crl) and copying that out to the CDP location(s) and testing that out.  If problems occur, restore a copy of the pre-upgrade CRL.

Fresh backup including system state should be done after everything is confirmed working and archived separately.

Author

Commented:
I noticed that you said "upgrade your OS".  I planned on formatting and re-installing.  Will that be an issue? The original server was SBS 2003.  I recently ran the Transition Pack to bring the server to 2003 Server Standard Edition.  I want to format, and install Server 2008 ENT 64-Bit edition.  How does this change your walkthru?
ParanormasticCryptographic Engineer

Commented:
As long as the new installation has the same server name and will have the same domain name after all is done, shouldn't be an issue.  

I think that since you are doing a clean install instead of an upgrade that the followup tasks that would be necessary for an upgrade may not need to be done.  I will look into this a little bit further, but if nothing else I will post that in a few minutes for what needs to be done just in case.  Shouldn't affect the primary install anyways, it would be followup tasks after the CA has been restored and is functional.

A few other side notes I thought of in the meantime:
If you are going to be upgrading your AD as part of this, do that prior to installing the CA as well to avoid follow up tasks.

Make sure to open the Certificate Templates MMC (certtmpl.msc) after CA is up and running to update AD with the new templates.  If you attempt to issue new certs prior to that, the new templates likely will not be there.  You may need to do this anyways even if not changing AD level (hopefully is already at least 2003 native mode).

Author

Commented:
Ok, great info... Will I be able to take care of all this during production hours?  Will it affect production at all?
ParanormasticCryptographic Engineer

Commented:
Okay, here is the article that talks about upgrade issues from Standard to Enterprise Edition OS.
http://support.microsoft.com/kb/967332

This was an issue with the SKU that you installed as.  I'm not sure on a retail copy, but for volume license you use the same install media and just select which kind of OS you are installing as an early step in the OS installation.  Apparently upgrading that after the initial 2008 install does not update the SKU reference in the registry.  This issue shouldn't apply since you are doing a clean install.

>>Will I be able to take care of all this during production hours?  Will it affect production at all?

The CA shouldn't be an issue as long as the CRL is all good you should be fine.

My personal opinion here, but if you are planning on upgrading a DC during production hours you're nuts.  If this isn't the first 2008 DC you've rolled out, then I suppose maybe you could get away with it since all the AD changes and such would already have been done, and that's where the scariness is.  I wouldn't worry about the CA so much - the DC, however, is another story - that's up to you, your experience with this process, and your comfort level in relation to the DC tasks.

One last thing you should check prior to doing this is the Issued Certifictes in the CA database to make sure that there aren't any certs that are about to expire within a couple days of doing this (anything autoenrolled that is still online probably renewed 6 weeks before, by default, so only look at the manually issued certs).  You can filter the Issued certs results based on certificate expiration date being greater than now and less than a week from now.  Don't add anything else unless you have a lot of results - the filter for the CA is pretty touchy in some areas (especially template names).

Author

Commented:
ok, so I need to publish a new CRL before I do anything, correct?  If so, what is the procedure for this?
ParanormasticCryptographic Engineer

Commented:
Run from cmd prompt:
certutil -crl

Open %systemroot%\system32\certsrv\certenroll directory and locate the .crl file and copy to the CDP locations.

To determine your CDP locations, open PKIView.msc (from 2003 resource kit if you don't have it installed) and expand out your pki and select your CA, then the AIA and CDP points will be listed on the right.  The AIA is for the cert to go to, the CDP is for the CRL to go to.  Right now you only need to worry about the CDP.  If there is one for LDAP, do 'certutil -dspublish filename.crl'

Side note, but the AIA will only be a concern some day down the line when you need to renew your CA cert - if you don't track that you want to set a calendar reminder to renew it - to determine when, look at the cert templates you use to determine the validity period and do it 6 months before that for researching, with an implementation goal of 1 month prior (e.g. if you only issue 1 year certs, plan to start researching how to renew 18 months prior to expiration with an implementation target of 13 months or more).
ParanormasticCryptographic Engineer

Commented:
Passing thought - was the 2003 DC upgraded from 2000 or not?  If not no worries, if so you may need to check to determine what the windows directory was named (is it c:\windows\ or c:\winnt\ - should be windows).

Author

Commented:
I ran the command, and opened the correct directory and copied the file.  When I open the PKIVIEW the location is a LDAP Name.  Where do I go to paste?  I am confused. Sorry!
ParanormasticCryptographic Engineer

Commented:
for LDAP run 'certutil -dspublish FILENAME.crl'

Author

Commented:
This is the error I get:

H:\>certutil -dspublish "Structured Asset Services.crl"
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
Could not load Certificate or CRL from file (The system cannot find the file spe
cified. 0x80070002 (WIN32: 2))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

H:\>

Author

Commented:
The file has spaces........
ParanormasticCryptographic Engineer

Commented:
do you need to supply the path?  or it is at "H:\Structured Asset Services.crl"?
ParanormasticCryptographic Engineer

Commented:
I don't think the spaces matter, but you can rename it if you think it is being a problem.

Author

Commented:
That worked! I am going to uninstall Cert Service tomorrow morning, demote, re-install, promote, and re-install Cert Services.  I will reply back with results!  Thank you for your help! Reply with any additional info you think I might need!  Thanks again!

Author

Commented:
OK, I have successfully demoted, re-installed server 2008, promoted to DC, installed Certificate Services, and restored the private key and database files.  Everything "seems" to be successful, but how can I verify that all is well with the Cert Services migration?
ParanormasticCryptographic Engineer

Commented:
Make a backup copy of the existing CRL.
Issue a new CRL and distribute to the CDP locations (all of them).
Pull up an SSL page or something that uses a cert and make sure it doesn't pop an error.

You can also check the CA MMC under Issued Certificates and make sure you still have a bunch of certs from before the upgrade.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial