Removing Certificate Services to run DCPROMO

Posted on 2011-05-07
Medium Priority
Last Modified: 2012-05-11
The last couple of weeks I have been working on getting a second Windows Server 2003 Standard Edition machine up and running simultaneously on the network. The goal is to duplicate the original server in every way and then take it down and have everything running as normal.

So far on the new server I have installed Server 2003 Standard Ed., promoted it to DC and Global Catalog, installed DNS, moved over FSMO roles, and demoted the original DC as Global Catalog. Now, I'm trying to demote the original server as DC by running DCPROMO, but I get a message saying "Before you can install or remove Active Directory, you must remove Certificate Services"

So far, I have mainly referenced these articles:


I guess these are my two main questions:

1. Could I just install Certificate Services and start fresh on the new server instead of moving over the CA from the original DC? It seems like both servers have to be the same name and they are not the same name.

2. What are the implications of doing number 1? What sort of functionality would I lose by not moving the CA from the original server to the new server and just starting fresh on the new DC?
Question by:AAIAdmin
  • 3
  • 2
LVL 13

Expert Comment

ID: 35713660
Well.. That really depends one your setup ... If you have websites or ocs \ linc servers its more work than if its only ad...

Expert Comment

ID: 35714451
If the old CA only issued a few certificate and if you know where all these certificates are being used, these can be reissued after you install it on the new DC.

Author Comment

ID: 35715553
As far as I know (I inherited this responsibility), there are only like two certs being used. One is for a content filter and one is the actual DC itself. How would I confirm all the certs installed on the old server so as to make sure to reissue them on the new DC?

I'm not familiar with ocs/linc servers so I think it is safe to assume that we don't have any.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Accepted Solution

CERTExpert earned 2000 total points
ID: 35716839
The DC will automatically get a certificate when you install an enterprise CA in the domain so you don't need to worry about issuing a certificate to the DC, however make sure to delete the old one.
Also you would need to reissue the other certificates, this link http://blog.insideocs.com/2010/11/02/microsoft-lync-server-certificates-whats-new-tips/ gives some insight related to installing/requesting certificate from Lync Server.

Author Comment

ID: 35729241
How do I confirm what certs are being used on the old DC and need to be reissued on the new one after I uninstall Certificate Services and demote via dcpromo?

Expert Comment

ID: 35806637
As I pointed out earlier that a DC will automatically get a certificate when you install an enterprise CA in the domain and it can use any valid certificate which has the Server Authentication OID in it and fulfills other requirements as per http://support.microsoft.com/kb/321051 so you don't need to manually issue a certificate to a DC.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question