certificate issue when running dcpromo

Posted on 2012-08-14
Medium Priority
Last Modified: 2012-09-04
A number of months ago i added a new Windows 2008 domain controller to an existing Windows 2003 domain, (the domain consists of only 1 windows 2003 DC) everything went fine, i transferred FSMO roles / GC and was prepared to dcpromo the windows 2003 DC, at the time i was having issues with printers and decided to keep the old win 2003 dc as a print server until i resolved all driver issues,

i would now like to dcpromo teh win 2003 dc, i'm getting the following message "before you can install or remove active directory you must remove certificate services", looking at issued certificates i can only see a domain controller certificate for the win 2003 and new win 2008 dc that are still valid

do i need to migrate these certs, what are the domain controllers certs providing to AD, is a migration supported when a different dc name,
Question by:im_busy

Assisted Solution

PeteTheOwl earned 668 total points
ID: 38294558
LVL 15

Assisted Solution

achaldave earned 664 total points
ID: 38294579
If you don't have configured your enviornment to require SSL when connecting to domain controller then you might be able to uninstall the services.

I suggest you backup the certificate services, uninstall, rename the server and promote as DC so if in case you need to bulid the CA again you can build new server with old name and restore CA from backup. This link shows how to move CA to new server http://support.microsoft.com/kb/298138
LVL 39

Accepted Solution

Krzysztof Pytko earned 668 total points
ID: 38295458
When you install CA role on Domain Controller you cannot decommission it until you will not remove CA. That's why it is not recommended doing DC your CA server :)
You may see similar thread at Technet

Just do CA backup, remove it from DC. Decommission DC and set up it again as on domain member server. Should work fine


Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question