Demote Domain Controller with Certificate Services

Posted on 2012-08-20
Last Modified: 2012-08-21
I am in the process of upgrading my AD infrastructure to 2008R2 and I have one last Windows 2003 Domain Controller.  My FSMO roles have been transfered, as well as DNS and company.  The problem lies with this legacy domain controller is also a certificate authority.  DCPROMO  will not allow me to demote the server as long as it has certificate services installed.

I need this server to remain a CA, but I do not want it to be a domain controller any longer.

I believe I can backup the certificate store, remove certificate services, demote the domain controller and then reinstall certificate services and restore the certificate store.

Am I correct in my theory?  I am hoping for validation that my idea will work along with some tips for possible gotchas in this concept - or - suggestions for a better way to accomplish this same task.
Question by:stevenfirsten
    LVL 10

    Accepted Solution

    What you're looking to do is correct, and is documented that way.

    These are a few articles that will help get you on the right track.
    It's not necessarily a "gotcha" per se, but rather an unnecessary headache if you can avoid it, and that is changing the name of your hostname for your certification authority. If you imperatively need to do this, and then, you have to go through a process to get that to work, and then make sure that all your clients are reporting back to the new CA name.

    I actually did this about 1 year ago for a server that I had decommissioned, and I ended up backing up the cert, restoring it on the new server, demoting and powering down the old server, then creating a CNAME by the name of the old server, pointing to the new server.

    It's kind of ugly, especially if you're looking to move to a better naming convention, but, as I was looking at the alternative, it was just too much room for failure and too many variables.

    By the way, please note that changing the name of the server isn't as big of a deal as changing the name of the certification authority itself. For changing the server name, you can look here:
    As a result, the certification authority will still report the old server name, changing that, is the piece that may be a bit more complicated.
    LVL 53

    Assisted Solution

    by:Will Szymkowski
    Take a look at the following link. Unfortunately you will have to remove ADCS as you have stated already. Take a look at the following link as it will provide direction on this.

    Also take a look at this link for additional reference...

    Hope this helps!

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now