Removing Certificate Services to run DCPROMO

The last couple of weeks I have been working on getting a second Windows Server 2003 Standard Edition machine up and running simultaneously on the network. The goal is to duplicate the original server in every way and then take it down and have everything running as normal.

So far on the new server I have installed Server 2003 Standard Ed., promoted it to DC and Global Catalog, installed DNS, moved over FSMO roles, and demoted the original DC as Global Catalog. Now, I'm trying to demote the original server as DC by running DCPROMO, but I get a message saying "Before you can install or remove Active Directory, you must remove Certificate Services"

So far, I have mainly referenced these articles:
http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_24510772.html

http://support.microsoft.com/kb/298138

I guess these are my two main questions:

1. Could I just install Certificate Services and start fresh on the new server instead of moving over the CA from the original DC? It seems like both servers have to be the same name and they are not the same name.

2. What are the implications of doing number 1? What sort of functionality would I lose by not moving the CA from the original server to the new server and just starting fresh on the new DC?
AAIAdminAsked:
Who is Participating?
 
CERTExpertCommented:
The DC will automatically get a certificate when you install an enterprise CA in the domain so you don't need to worry about issuing a certificate to the DC, however make sure to delete the old one.
Also you would need to reissue the other certificates, this link http://blog.insideocs.com/2010/11/02/microsoft-lync-server-certificates-whats-new-tips/ gives some insight related to installing/requesting certificate from Lync Server.
0
 
p_nutsCommented:
Well.. That really depends one your setup ... If you have websites or ocs \ linc servers its more work than if its only ad...
0
 
CERTExpertCommented:
If the old CA only issued a few certificate and if you know where all these certificates are being used, these can be reissued after you install it on the new DC.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
AAIAdminAuthor Commented:
As far as I know (I inherited this responsibility), there are only like two certs being used. One is for a content filter and one is the actual DC itself. How would I confirm all the certs installed on the old server so as to make sure to reissue them on the new DC?

I'm not familiar with ocs/linc servers so I think it is safe to assume that we don't have any.
0
 
AAIAdminAuthor Commented:
How do I confirm what certs are being used on the old DC and need to be reissued on the new one after I uninstall Certificate Services and demote via dcpromo?
0
 
CERTExpertCommented:
As I pointed out earlier that a DC will automatically get a certificate when you install an enterprise CA in the domain and it can use any valid certificate which has the Server Authentication OID in it and fulfills other requirements as per http://support.microsoft.com/kb/321051 so you don't need to manually issue a certificate to a DC.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.