Solved

PDC Decommission/Certificate Authority questions

Posted on 2010-09-09
3
794 Views
Last Modified: 2013-12-05
I'm a college student currently working on decommissioning a primary domain controller for the first time, so bear with me.

The PDC in question runs on Windows 2000, and is long past retirement. The new one runs off Windows 2003. Last week, I transfered all the FSMO roles and the global catalog, then brought the W2K Server offline without demoting it to see if there are any errors.

Lo and behold every 24 hours, I receive the following errors in the new DC's system event logs:
Event ID: 20
Source: KDC
Type: Warning

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Directory Service logs:

Event ID 1864
Source: NTDS Replication
Type: Error
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
DC=mydomain,DC=com
 
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------
Event ID 2092
Source: NTDS Replication
Type: Warning
 This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: DC=mydomain,DC=com
 
User Action:
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----

After some research I have found out the W2K domain controller is acting as a Certificate Authority. So...

Is it possible to simply remove the CA and not transfer it to the new DC? According to Microsoft, I will have to upgrade the W2K  to 2003 before I am able to migrate
What are the ramifications of having no CA? Is it required by Active Directory?
Are the directory service events normal since I did not demote the W2K DC from Active Directory?

Everything has been running without issue for over a week. Any further input on how to approach decommissioning the W2K server would be appreciated.



0
Comment
Question by:Daftpunk
3 Comments
 
LVL 10

Expert Comment

by:Bawer
ID: 33641531
If you have transferred all the roles and and GC, few of the events are normal and so far CA is concerned its not required by the AD, make sure no CA services are installed. Also try demoting the win2k AD so what ever is remain will be transferred to win2003...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 33641938
You need to check the CA to see what kinds of certs it is issuing (certsrv.msc / Certification Authority MMC snap-in) by viewing the certificate templates folder of the CA (not the Certificate Templates MMC snap-in...).  If it was windows 2000 there should be at least a Domain Controllers template issued to the CA, and CAExchange template (this is for the CA to exchange keys securely - not Exchange as in the email server app...).  If that's all there is then you're best bet is probably to decommission the old CA and if you choose to install a new one to go ahead and do so - this way you at least know how it is configured and it avoids the hassle of migration and keeping the old machine name around, etc.  It is probably not necessary to reinstall the CA unless you want to do more with it - AD will work fine without one.

How to properly decom a CA from AD:
http://support.microsoft.com/kb/889250

For installing a new CA for a small company probably your best bet is to get the PKI book for 2003 written by Brian Komar which will walk you through exactly what you need to do as well as introduce you to various terminology and important concepts.  There is a lot more that goes into setting up and maintaining a CA properly than clicking next a couple of times.

If you find other templates, then take a look at them.  Windows 2000 did not offer much for templates so what they are should be pretty straight forward.  The main ones to look out for are EFS (Basic EFS and EFS Recovery Agent), Code Signing, Smartcard Logon/User, and WebServer certificates - these may need a little more attention.  If you have any questions post back.
0
 

Author Closing Comment

by:Daftpunk
ID: 33664233
Thanks! Great info
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Regarding Ad Connect Users Access 5 31
Password Complexity 13 30
powershell question need assistance 10 32
I need to find the GPO setting to change for macros in Excel 4 23
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question