[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Demote Domain Controller with Certificate Services

Posted on 2012-08-20
2
Medium Priority
?
3,515 Views
Last Modified: 2012-08-21
I am in the process of upgrading my AD infrastructure to 2008R2 and I have one last Windows 2003 Domain Controller.  My FSMO roles have been transfered, as well as DNS and company.  The problem lies with this legacy domain controller is also a certificate authority.  DCPROMO  will not allow me to demote the server as long as it has certificate services installed.

I need this server to remain a CA, but I do not want it to be a domain controller any longer.

I believe I can backup the certificate store, remove certificate services, demote the domain controller and then reinstall certificate services and restore the certificate store.

Am I correct in my theory?  I am hoping for validation that my idea will work along with some tips for possible gotchas in this concept - or - suggestions for a better way to accomplish this same task.
0
Comment
Question by:stevenfirsten
2 Comments
 
LVL 10

Accepted Solution

by:
George Khairallah earned 1400 total points
ID: 38312113
What you're looking to do is correct, and is documented that way.
http://technet.microsoft.com/en-us/library/cc742388%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc755153%28v=ws.10%29.aspx
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

These are a few articles that will help get you on the right track.
It's not necessarily a "gotcha" per se, but rather an unnecessary headache if you can avoid it, and that is changing the name of your hostname for your certification authority. If you imperatively need to do this, and then, you have to go through a process to get that to work, and then make sure that all your clients are reporting back to the new CA name.

I actually did this about 1 year ago for a server that I had decommissioned, and I ended up backing up the cert, restoring it on the new server, demoting and powering down the old server, then creating a CNAME by the name of the old server, pointing to the new server.

It's kind of ugly, especially if you're looking to move to a better naming convention, but, as I was looking at the alternative, it was just too much room for failure and too many variables.

By the way, please note that changing the name of the server isn't as big of a deal as changing the name of the certification authority itself. For changing the server name, you can look here:
http://www.windowsitpro.com/article/certificate-services-microsoft/how-to-change-the-name-of-a-certificate-server 
As a result, the certification authority will still report the old server name, changing that, is the piece that may be a bit more complicated.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 600 total points
ID: 38313354
Take a look at the following link. Unfortunately you will have to remove ADCS as you have stated already. Take a look at the following link as it will provide direction on this.

http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx

Also take a look at this link for additional reference...
http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/


Hope this helps!
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question