certificate issue when running dcpromo

Posted on 2012-08-14
Last Modified: 2012-09-04
A number of months ago i added a new Windows 2008 domain controller to an existing Windows 2003 domain, (the domain consists of only 1 windows 2003 DC) everything went fine, i transferred FSMO roles / GC and was prepared to dcpromo the windows 2003 DC, at the time i was having issues with printers and decided to keep the old win 2003 dc as a print server until i resolved all driver issues,

i would now like to dcpromo teh win 2003 dc, i'm getting the following message "before you can install or remove active directory you must remove certificate services", looking at issued certificates i can only see a domain controller certificate for the win 2003 and new win 2008 dc that are still valid

do i need to migrate these certs, what are the domain controllers certs providing to AD, is a migration supported when a different dc name,
Question by:im_busy
    LVL 1

    Assisted Solution

    LVL 15

    Assisted Solution

    If you don't have configured your enviornment to require SSL when connecting to domain controller then you might be able to uninstall the services.

    I suggest you backup the certificate services, uninstall, rename the server and promote as DC so if in case you need to bulid the CA again you can build new server with old name and restore CA from backup. This link shows how to move CA to new server
    LVL 39

    Accepted Solution

    When you install CA role on Domain Controller you cannot decommission it until you will not remove CA. That's why it is not recommended doing DC your CA server :)
    You may see similar thread at Technet

    Just do CA backup, remove it from DC. Decommission DC and set up it again as on domain member server. Should work fine


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Don't lose your head updating email signatures!

    Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!

    To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now