We help IT Professionals succeed at work.

certificate issue when running dcpromo

A number of months ago i added a new Windows 2008 domain controller to an existing Windows 2003 domain, (the domain consists of only 1 windows 2003 DC) everything went fine, i transferred FSMO roles / GC and was prepared to dcpromo the windows 2003 DC, at the time i was having issues with printers and decided to keep the old win 2003 dc as a print server until i resolved all driver issues,

i would now like to dcpromo teh win 2003 dc, i'm getting the following message "before you can install or remove active directory you must remove certificate services", looking at issued certificates i can only see a domain controller certificate for the win 2003 and new win 2008 dc that are still valid

do i need to migrate these certs, what are the domain controllers certs providing to AD, is a migration supported when a different dc name,
Watch Question

If you don't have configured your enviornment to require SSL when connecting to domain controller then you might be able to uninstall the services.

I suggest you backup the certificate services, uninstall, rename the server and promote as DC so if in case you need to bulid the CA again you can build new server with old name and restore CA from backup. This link shows how to move CA to new server http://support.microsoft.com/kb/298138
Senior Active Directory Engineer
Top Expert 2012
When you install CA role on Domain Controller you cannot decommission it until you will not remove CA. That's why it is not recommended doing DC your CA server :)
You may see similar thread at Technet

Just do CA backup, remove it from DC. Decommission DC and set up it again as on domain member server. Should work fine


Explore More ContentExplore courses, solutions, and other research materials related to this topic.