Link to home
Create AccountLog in
Avatar of jasondimaio
jasondimaio

asked on

Decommission a 2003 Server - Certificate Services

I've got a Server 2003 DC that I want to demote and decommission.  I've had the Certificate Services Service disabled for months, so I'm positive that demoting this should not be an issue to my environment.  However, when I follow this guide, http://support.microsoft.com/kb/889250 I don't see anything like what they show when I'm even in the certutil -key step.  Can you help me decommission this server, please?
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

were you using cert services on this box before for something?  So you seen nothing when you type certutil -key

Just wondering if there were any services on there before.

Another good thread that I've referenced before   http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/d922860b-c8cd-4ed5-9b0b-05391c18afc0

Thanks

Mike
Avatar of jasondimaio
jasondimaio

ASKER

Oddly, your link takes me to a page where I can edit my TechNet profile.

I don't recall using Cert Svcs for anything other than maybe a self-signed cert or two awhile back.  Exchange 2003 used to be on this machine.  I actually didn't build it out.  I inherited it.

When I type certutil -key, I get
Microsoft Strong Cryptographic Provider:
  2dbdc423-b316-47aa-a10d-8479b6f26f36
    AT_KEYEXCHANGE

  ex01
    AT_SIGNATURE

  39eeeb5c-db12-46cf-b190-4939b539b91f
    AT_KEYEXCHANGE

  ex01-Xchg(36)
    AT_KEYEXCHANGE

  EXPWMGMT-9f2ee89acc07425fba591dfbd8fb31fb
    AT_KEYEXCHANGE

  a1e96cee-87d6-407b-b2ff-7ea406a8ca59
    AT_KEYEXCHANGE

  MS IIS DCOM Server
    AT_SIGNATURE, AT_KEYEXCHANGE

  49db4752-e0c6-4358-9cdd-94f41656e7a1
    AT_KEYEXCHANGE

  09ba51f7-74ff-48d3-82d2-282fdf5b7d10
    AT_KEYEXCHANGE

  4640d838-4dda-419a-9ea7-36e355dbf02d
    AT_KEYEXCHANGE

  ex01(1)
    AT_SIGNATURE

  7fe46022-db42-4acf-95b8-e90230725eb1
    AT_KEYEXCHANGE

  33298f50-35cc-446a-941c-7fab615351ae
    AT_KEYEXCHANGE

  47c7fe5c-0be6-4e4c-bb1b-cf3326c437b0
    AT_KEYEXCHANGE

  790f3e5d-75ea-4001-a7ae-bda6aad7b0bd
    AT_KEYEXCHANGE

  5e8e752e-45ed-4001-9521-89c419f99c63
    AT_KEYEXCHANGE

  Microsoft Internet Information Server
    AT_SIGNATURE, AT_KEYEXCHANGE

And a few more along those lines.
is this a AD intergrated Certificate? Also check if you have enabled auto enrollement via gpo?
As I said, I didn't deploy this machine, but it was the first DC in this domain.  Certificate Services Client - Auto-Enrollment in my Default Domain Policy is not configured.
if it is a first DC, leave it. Try to find, why it was used. Removing cert server without knowing the reason might break application to work.
This server will be decommissioned.  I can't leave it up forever.  I don't have the cooling or the power to leave it up.  Cert Services have been disabled for over 3 months on this box.
What about FSMO roles, i assume you moved it over to other server. If so, i don't think any issue with decom this server.
FSMO roles were moved, yes.

The problem is that I can't demote the DC without removing Cert Svcs from the server.  I can't remove Cert Services, because according to the original link I posted, I should be seeing different output than what I'm seeing, and I can't find anything else that tells me how to properly remove Cert Svcs.
ASKER CERTIFIED SOLUTION
Avatar of jasondimaio
jasondimaio

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
It wasn't really the best solution, but it worked for me.