Solved

PDC Decommission/Certificate Authority questions

Posted on 2010-09-09
3
799 Views
Last Modified: 2013-12-05
I'm a college student currently working on decommissioning a primary domain controller for the first time, so bear with me.

The PDC in question runs on Windows 2000, and is long past retirement. The new one runs off Windows 2003. Last week, I transfered all the FSMO roles and the global catalog, then brought the W2K Server offline without demoting it to see if there are any errors.

Lo and behold every 24 hours, I receive the following errors in the new DC's system event logs:
Event ID: 20
Source: KDC
Type: Warning

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Directory Service logs:

Event ID 1864
Source: NTDS Replication
Type: Error
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
DC=mydomain,DC=com
 
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------
Event ID 2092
Source: NTDS Replication
Type: Warning
 This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: DC=mydomain,DC=com
 
User Action:
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----

After some research I have found out the W2K domain controller is acting as a Certificate Authority. So...

Is it possible to simply remove the CA and not transfer it to the new DC? According to Microsoft, I will have to upgrade the W2K  to 2003 before I am able to migrate
What are the ramifications of having no CA? Is it required by Active Directory?
Are the directory service events normal since I did not demote the W2K DC from Active Directory?

Everything has been running without issue for over a week. Any further input on how to approach decommissioning the W2K server would be appreciated.



0
Comment
Question by:Daftpunk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 10

Expert Comment

by:Bawer
ID: 33641531
If you have transferred all the roles and and GC, few of the events are normal and so far CA is concerned its not required by the AD, make sure no CA services are installed. Also try demoting the win2k AD so what ever is remain will be transferred to win2003...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 33641938
You need to check the CA to see what kinds of certs it is issuing (certsrv.msc / Certification Authority MMC snap-in) by viewing the certificate templates folder of the CA (not the Certificate Templates MMC snap-in...).  If it was windows 2000 there should be at least a Domain Controllers template issued to the CA, and CAExchange template (this is for the CA to exchange keys securely - not Exchange as in the email server app...).  If that's all there is then you're best bet is probably to decommission the old CA and if you choose to install a new one to go ahead and do so - this way you at least know how it is configured and it avoids the hassle of migration and keeping the old machine name around, etc.  It is probably not necessary to reinstall the CA unless you want to do more with it - AD will work fine without one.

How to properly decom a CA from AD:
http://support.microsoft.com/kb/889250

For installing a new CA for a small company probably your best bet is to get the PKI book for 2003 written by Brian Komar which will walk you through exactly what you need to do as well as introduce you to various terminology and important concepts.  There is a lot more that goes into setting up and maintaining a CA properly than clicking next a couple of times.

If you find other templates, then take a look at them.  Windows 2000 did not offer much for templates so what they are should be pretty straight forward.  The main ones to look out for are EFS (Basic EFS and EFS Recovery Agent), Code Signing, Smartcard Logon/User, and WebServer certificates - these may need a little more attention.  If you have any questions post back.
0
 

Author Closing Comment

by:Daftpunk
ID: 33664233
Thanks! Great info
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question