Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How to decommission an enterprise certification authority safely for server 2008 Migration

Posted on 2011-10-20
Medium Priority
Last Modified: 2012-08-14
For some historic reason (and not entirely sure of the point?), enterprise certification authority was installed on the domain on a a Windows Server 2003 machine.

We are currently migrating to server 2008 from server 2003 domain and the server enterprise certification authority is on is being decomissioned.

Concerned that after migration devices won’t be able to log on to the domain if this is removed incorrectly.

How can I safely remove this without impacting device logons, and how can I test that it has been removed safely?
Question by:Ben Campbell
  • 2
LVL 45

Expert Comment

ID: 36998644
If you are using certificates, then you need to migrate it to new server. there are migration guide available from MS.

Author Comment

by:Ben Campbell
ID: 36998697
Is there no way of removing it completely as we don't really require it any more. As when we moved it from Server 2000 to 2003 it was a massive ball ache and would prefer to get rid of it.
LVL 45

Expert Comment

ID: 36998722
LVL 39

Accepted Solution

Krzysztof Pytko earned 2000 total points
ID: 36998759
Yes, it's possible to completely remove it. But remember if users/computers uses certificates from it, they will lost access to resources secured with those certificates.

Go to Windows 2003 DC and open Control Panel, run Add/Remove Programs then go to "Windows Components"
Uncheck there Certificate Authority and confirm that you really want to decommission it.

After that you will be able freely manage 2003 DC to decommision it.

If you wish you may follow an article how to add first 2008 R2 DC in 2003 network at

then you may wish to transfer FSMO roles to the new DC

when you transfer PDC Emulator role then you need to advertise new DC in your forest/domain
[...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]

and extract from MVP blog at

and then you may wish to decommission your old DC


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question