asked on

Decommission a 2003 Server - Certificate Services

I've got a Server 2003 DC that I want to demote and decommission. I've had the Certificate Services Service disabled for months, so I'm positive that demoting this should not be an issue to my environment. However, when I follow this guide, http://support.microsoft.com/kb/889250 I don't see anything like what they show when I'm even in the certutil -key step. Can you help me decommission this server, please?

Mike Kline

were you using cert services on this box before for something? So you seen nothing when you type certutil -key

Just wondering if there were any services on there before.

Another good thread that I've referenced before http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/d922860b-c8cd-4ed5-9b0b-05391c18afc0

Thanks

Mike

jasondimaio

ASKER

Oddly, your link takes me to a page where I can edit my TechNet profile.

I don't recall using Cert Svcs for anything other than maybe a self-signed cert or two awhile back. Exchange 2003 used to be on this machine. I actually didn't build it out. I inherited it.

When I type certutil -key, I get
Microsoft Strong Cryptographic Provider:
2dbdc423-b316-47aa-a10d-8479b6f26f36
AT_KEYEXCHANGE

ex01
AT_SIGNATURE

39eeeb5c-db12-46cf-b190-4939b539b91f
AT_KEYEXCHANGE

ex01-Xchg(36)
AT_KEYEXCHANGE

EXPWMGMT-9f2ee89acc07425fba591dfbd8fb31fb
AT_KEYEXCHANGE

a1e96cee-87d6-407b-b2ff-7ea406a8ca59
AT_KEYEXCHANGE

MS IIS DCOM Server
AT_SIGNATURE, AT_KEYEXCHANGE

49db4752-e0c6-4358-9cdd-94f41656e7a1
AT_KEYEXCHANGE

09ba51f7-74ff-48d3-82d2-282fdf5b7d10
AT_KEYEXCHANGE

4640d838-4dda-419a-9ea7-36e355dbf02d
AT_KEYEXCHANGE

ex01(1)
AT_SIGNATURE

7fe46022-db42-4acf-95b8-e90230725eb1
AT_KEYEXCHANGE

33298f50-35cc-446a-941c-7fab615351ae
AT_KEYEXCHANGE

47c7fe5c-0be6-4e4c-bb1b-cf3326c437b0
AT_KEYEXCHANGE

790f3e5d-75ea-4001-a7ae-bda6aad7b0bd
AT_KEYEXCHANGE

5e8e752e-45ed-4001-9521-89c419f99c63
AT_KEYEXCHANGE

Microsoft Internet Information Server
AT_SIGNATURE, AT_KEYEXCHANGE

And a few more along those lines.

Amit

is this a AD intergrated Certificate? Also check if you have enabled auto enrollement via gpo?

jasondimaio

ASKER

As I said, I didn't deploy this machine, but it was the first DC in this domain. Certificate Services Client - Auto-Enrollment in my Default Domain Policy is not configured.

Amit

if it is a first DC, leave it. Try to find, why it was used. Removing cert server without knowing the reason might break application to work.

jasondimaio

ASKER

This server will be decommissioned. I can't leave it up forever. I don't have the cooling or the power to leave it up. Cert Services have been disabled for over 3 months on this box.

Amit

What about FSMO roles, i assume you moved it over to other server. If so, i don't think any issue with decom this server.

jasondimaio

ASKER

FSMO roles were moved, yes.

The problem is that I can't demote the DC without removing Cert Svcs from the server. I can't remove Cert Services, because according to the original link I posted, I should be seeing different output than what I'm seeing, and I can't find anything else that tells me how to properly remove Cert Svcs.

ASKER CERTIFIED SOLUTION

jasondimaio

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jasondimaio

ASKER

It wasn't really the best solution, but it worked for me.