Demote Domain Controller with Certificate Services
Posted on 2012-08-20
I am in the process of upgrading my AD infrastructure to 2008R2 and I have one last Windows 2003 Domain Controller. My FSMO roles have been transfered, as well as DNS and company. The problem lies with this legacy domain controller is also a certificate authority. DCPROMO will not allow me to demote the server as long as it has certificate services installed.
I need this server to remain a CA, but I do not want it to be a domain controller any longer.
I believe I can backup the certificate store, remove certificate services, demote the domain controller and then reinstall certificate services and restore the certificate store.
Am I correct in my theory? I am hoping for validation that my idea will work along with some tips for possible gotchas in this concept - or - suggestions for a better way to accomplish this same task.