<div>
<div class="content wysiwyg-content">
I am in the process of upgrading my AD infrastructure to 2008R2 and I have one last Windows 2003 Domain Controller. &nbsp;My FSMO roles have been transfered, as well as DNS and company. &nbsp;The problem lies with this legacy domain controller is also a certificate authority. &nbsp;DCPROMO &nbsp;will not allow me to demote the server as long as it has certificate services installed.<br />
<br />
I need this server to remain a CA, but I do not want it to be a domain controller any longer.<br />
<br />
I believe I can backup the certificate store, remove certificate services, demote the domain controller and then reinstall certificate services and restore the certificate store.<br />
<br />
Am I correct in my theory? &nbsp;I am hoping for validation that my idea will work along with some tips for possible gotchas in this concept - or - suggestions for a better way to accomplish this same task.
</div>
</div>


I am in the process of upgrading my AD infrastructure to 2008R2 and I have one last Windows 2003 Domain Controller.  My FSMO roles have been transfered, as well as DNS and company.  The problem lies with this legacy domain controller is also a certificate authority.  DCPROMO  will not allow me to demote the server as long as it has certificate services installed.

I need this server to remain a CA, but I do not want it to be a domain controller any longer.

I believe I can backup the certificate store, remove certificate services, demote the domain controller and then reinstall certificate services and restore the certificate store.

Am I correct in my theory?  I am hoping for validation that my idea will work along with some tips for possible gotchas in this concept - or - suggestions for a better way to accomplish this same task.

Demote Domain Controller with Certificate Services

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Windows Server 2003

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.