Removing Certificate Services to run DCPROMO
The last couple of weeks I have been working on getting a second Windows Server 2003 Standard Edition machine up and running simultaneously on the network. The goal is to duplicate the original server in every way and then take it down and have everything running as normal.
So far on the new server I have installed Server 2003 Standard Ed., promoted it to DC and Global Catalog, installed DNS, moved over FSMO roles, and demoted the original DC as Global Catalog. Now, I'm trying to demote the original server as DC by running DCPROMO, but I get a message saying "Before you can install or remove Active Directory, you must remove Certificate Services"
So far, I have mainly referenced these articles:
https://www.experts-exchange.com/questions/24510772/Removing-Certificate-Services-to-run-DCPROMO.html
http://support.microsoft.com/kb/298138
I guess these are my two main questions:
1. Could I just install Certificate Services and start fresh on the new server instead of moving over the CA from the original DC? It seems like both servers have to be the same name and they are not the same name.
2. What are the implications of doing number 1? What sort of functionality would I lose by not moving the CA from the original server to the new server and just starting fresh on the new DC?
So far on the new server I have installed Server 2003 Standard Ed., promoted it to DC and Global Catalog, installed DNS, moved over FSMO roles, and demoted the original DC as Global Catalog. Now, I'm trying to demote the original server as DC by running DCPROMO, but I get a message saying "Before you can install or remove Active Directory, you must remove Certificate Services"
So far, I have mainly referenced these articles:
https://www.experts-exchange.com/questions/24510772/Removing-Certificate-Services-to-run-DCPROMO.html
http://support.microsoft.com/kb/298138
I guess these are my two main questions:
1. Could I just install Certificate Services and start fresh on the new server instead of moving over the CA from the original DC? It seems like both servers have to be the same name and they are not the same name.
2. What are the implications of doing number 1? What sort of functionality would I lose by not moving the CA from the original server to the new server and just starting fresh on the new DC?
p_nuts
Well.. That really depends one your setup ... If you have websites or ocs \ linc servers its more work than if its only ad...
If the old CA only issued a few certificate and if you know where all these certificates are being used, these can be reissued after you install it on the new DC.
ASKER
As far as I know (I inherited this responsibility), there are only like two certs being used. One is for a content filter and one is the actual DC itself. How would I confirm all the certs installed on the old server so as to make sure to reissue them on the new DC?
I'm not familiar with ocs/linc servers so I think it is safe to assume that we don't have any.
I'm not familiar with ocs/linc servers so I think it is safe to assume that we don't have any.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do I confirm what certs are being used on the old DC and need to be reissued on the new one after I uninstall Certificate Services and demote via dcpromo?
As I pointed out earlier that a DC will automatically get a certificate when you install an enterprise CA in the domain and it can use any valid certificate which has the Server Authentication OID in it and fulfills other requirements as per http://support.microsoft.com/kb/321051 so you don't need to manually issue a certificate to a DC.