• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 808
  • Last Modified:

PDC Decommission/Certificate Authority questions

I'm a college student currently working on decommissioning a primary domain controller for the first time, so bear with me.

The PDC in question runs on Windows 2000, and is long past retirement. The new one runs off Windows 2003. Last week, I transfered all the FSMO roles and the global catalog, then brought the W2K Server offline without demoting it to see if there are any errors.

Lo and behold every 24 hours, I receive the following errors in the new DC's system event logs:
Event ID: 20
Source: KDC
Type: Warning

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Directory Service logs:

Event ID 1864
Source: NTDS Replication
Type: Error
This is the replication status for the following directory partition on the local domain controller.
Directory partition:
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
More than 24 hours:
More than a week:
More than one month:
More than two months:
More than a tombstone lifetime:
Tombstone lifetime (days):
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event ID 2092
Source: NTDS Replication
Type: Warning
 This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=mydomain,DC=com
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

After some research I have found out the W2K domain controller is acting as a Certificate Authority. So...

Is it possible to simply remove the CA and not transfer it to the new DC? According to Microsoft, I will have to upgrade the W2K  to 2003 before I am able to migrate
What are the ramifications of having no CA? Is it required by Active Directory?
Are the directory service events normal since I did not demote the W2K DC from Active Directory?

Everything has been running without issue for over a week. Any further input on how to approach decommissioning the W2K server would be appreciated.

1 Solution
If you have transferred all the roles and and GC, few of the events are normal and so far CA is concerned its not required by the AD, make sure no CA services are installed. Also try demoting the win2k AD so what ever is remain will be transferred to win2003...
ParanormasticCryptographic EngineerCommented:
You need to check the CA to see what kinds of certs it is issuing (certsrv.msc / Certification Authority MMC snap-in) by viewing the certificate templates folder of the CA (not the Certificate Templates MMC snap-in...).  If it was windows 2000 there should be at least a Domain Controllers template issued to the CA, and CAExchange template (this is for the CA to exchange keys securely - not Exchange as in the email server app...).  If that's all there is then you're best bet is probably to decommission the old CA and if you choose to install a new one to go ahead and do so - this way you at least know how it is configured and it avoids the hassle of migration and keeping the old machine name around, etc.  It is probably not necessary to reinstall the CA unless you want to do more with it - AD will work fine without one.

How to properly decom a CA from AD:

For installing a new CA for a small company probably your best bet is to get the PKI book for 2003 written by Brian Komar which will walk you through exactly what you need to do as well as introduce you to various terminology and important concepts.  There is a lot more that goes into setting up and maintaining a CA properly than clicking next a couple of times.

If you find other templates, then take a look at them.  Windows 2000 did not offer much for templates so what they are should be pretty straight forward.  The main ones to look out for are EFS (Basic EFS and EFS Recovery Agent), Code Signing, Smartcard Logon/User, and WebServer certificates - these may need a little more attention.  If you have any questions post back.
DaftpunkAuthor Commented:
Thanks! Great info
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now