How to decommission an enterprise certification authority safely for server 2008 Migration

Posted on 2011-10-20
Last Modified: 2012-08-14
For some historic reason (and not entirely sure of the point?), enterprise certification authority was installed on the domain on a a Windows Server 2003 machine.

We are currently migrating to server 2008 from server 2003 domain and the server enterprise certification authority is on is being decomissioned.

Concerned that after migration devices won’t be able to log on to the domain if this is removed incorrectly.

How can I safely remove this without impacting device logons, and how can I test that it has been removed safely?
Question by:James_22b
    LVL 41

    Expert Comment

    If you are using certificates, then you need to migrate it to new server. there are migration guide available from MS.

    Author Comment

    Is there no way of removing it completely as we don't really require it any more. As when we moved it from Server 2000 to 2003 it was a massive ball ache and would prefer to get rid of it.
    LVL 41

    Expert Comment

    LVL 39

    Accepted Solution

    Yes, it's possible to completely remove it. But remember if users/computers uses certificates from it, they will lost access to resources secured with those certificates.

    Go to Windows 2003 DC and open Control Panel, run Add/Remove Programs then go to "Windows Components"
    Uncheck there Certificate Authority and confirm that you really want to decommission it.

    After that you will be able freely manage 2003 DC to decommision it.

    If you wish you may follow an article how to add first 2008 R2 DC in 2003 network at

    then you may wish to transfer FSMO roles to the new DC

    when you transfer PDC Emulator role then you need to advertise new DC in your forest/domain
    [...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server( and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]

    and extract from MVP blog at

    and then you may wish to decommission your old DC


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now