Certificate authority and my inherited mess

I inherited a real nightmare at a new customers office.  Here is the nightmare.
Windows SBS 2003.  Runs great now (had a few problems, they were solved by you guys, thanks).  Windows Server 2003.  Was running as a member server and then for some dumbass reason they guy made it a domain controller.  Uggh.  Unfortunately when I tried to demote it, it was running the certificate services and the demotion would not go through.  
I looked at the certificate services and it only has 2 active certificates and they both point to the SBS 2003 server.  It appears that the only thing they are running or being used for is for self signed certificates that run the Remote services.  They dont appear to be using OWA at all and not even using RPC over HTTP.  
What is the best way to demote the server to make it a member server again?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteCommented:

Refer below mentioned article to decommission the certification authority:

After that you can demote the Windows 2003 server to a member server.

Note: Before making any changes take the System State backup of both the servers.

I hope this helps,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jonmenefeeAuthor Commented:
Thanks Shree, I will give that a try tonight :)
You need FIRST desactive SSL services  that use self signed  certificates in your SBS ( only 2 services run )

Certificate Server is a CA then you need revoke all active certificates that are issued  for CA :
   1. Click Start -> Administrative Tools ->Certification Authority
   2. Expand your CA, and  click  Issued Certificates folder
   3. In right pane, click one of  issued certificates, and  press CTRL+A  select all issued certificates
   4. Right-click  selected certificates, click All Tasks, and  click Revoke Certificate.
   5. In  Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click OK.

Now increase the CRL publication interval
   1. In Certifications Authority Microsoft Management Console  snap in, right click the Revoked Certificates folder, and then click Properties
   2. In the CRL Publication Interval box, type a suitably long value, and then click OK

 After  you need publish a new CRL
   1. In the Certification Authority MMC snap-in, right-click the Revoked Certificates folder.
   2. Click All Tasks, and then click Publish.
   3. In the Publish CRL dialog box, click New CRL, and then click OK.

Is necesary Deny any pending requests

By default, an enterprise CA does not store certificate requests.
However, an administrator can change this default behavior.
You need to know this state and  deny any pending certificate requests, follow these steps:

   1. In the Certification Authority MMC snap in, click the Pending Requests folder.
   2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.
   3. Right-click the selected requests, click All Tasks, and then click Deny Request.

Uninstall Certificate Services from the server
   1. To stop Certificate Services, click Start, click Run, type cmd, and the click OK.
   2. At the command prompt, type  certutil  -shutdown  , and then press ENTER.
   3. To list all key stores for the local computer, type  certutil  -key  at the command prompt.
This command display the names of all  installed cryptographic service providers (CSP) and the key stores that are associated with each provider.

Microsoft Enhanced Cryptographic Provider v1.0:
  MS IIS DCOM ClientSYSTEMS-1-5-18
  MS IIS DCOM Server
  Windows2000 Enterprise Root CA
  MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500

Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Part II

In the last example you need to see only when is CA for example in the last paragraph you see :
       Windows2000Enterprise Root CA

4.-Delete the private key that is associated with the CA.
Type the following at a command prompt:

            certutil  -delkey "Windows2000 Enterprise Root CA"

5.- List  key stores again that you need  verify  the private key for  CA has been deleted.
6.- After you delete the private key for your CA, uninstall Certificate Services.

To do this, follow these steps:
   a. Close the Certification Authority MMC snap-in if it is still open.
   b. Click Start, point to Control Panel, and then click Add /Remove Programs.
   c. Click Add/Remove Windows Components.
   d. In the Components box, click to clear the Certificate Services check box, click Next, and then follow the instructions in the Windows Components Wizard to complete the removal of Certificate Services.

NOW you need remove CA objects from Active Directory
When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

These objects are the following:

    * certificateAuthority object
          o Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
          o Contains the CA certificate for the CA.
          o Published Authority Information Access (AIA) location.
    * crlDistributionPoint object
          o Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
          o Contains the CRL periodically published by the CA.
          o Published CRL Distribution Point (CDP) location
    * certificationAuthority object
          o Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
          o Contains the CA certificate for the CA.
    * pKIEnrollmentService object
          o Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
          o Created by the enterprise CA.
          o Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

Remove all Certification Services objects from Active Directory

Delete certificates published to the NtAuthCertificates object

To remove the CA database, delete the %systemroot%\System32\Certlog folder.

Clean up domain controllers
Windows Server 2003 Resource Kit tools also includes the Pkiview.msc utility to help you remove CA objects from the domain.

AFTER ALL THIS maybe you DEMOTE Domain Controller of this your SBS

jonmenefeeAuthor Commented:
Thanks for the comment Jzel.  :-)
jonmenefeeAuthor Commented:
Shreedhar solution was perfect.  Jzel put on this page the exact step by step solution that Shreedhar used (word for word).
Thank you both for quick responses to an interesting problem :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.