went to demote a 2003 R2 DC and got the "you must remove cert..." message. Opened up cert authority from admin tools and a red icon was displayed next to the server name. Right-clicked then chose properties and it showed a message stating that cert services was stopped. Then I right-clicked cert authority, chose retarget..., another server was offered so I chose it. It displayed a green check. Nothing in revoked, issued, or failed folders. Had 140 items in the Pending Requests folder. One entry was as recent as a few days ago, first entry was from 2009. Opened cert manager on my desktop and saw two certs from domain cert authority. One cert was from the cert authority where cert services was stopped - it expired in 2010. The other cert was from the other cert authority (green check one) - it expires in 2014 I think (either way, it had not yet expired).
So, can I remove the cert role from the cert authority which showed that cert services aren't even running so I can continue with the dcpromo? I am fairly certain no certs have been distributed from this server, especially since cert services has been stopped for what is likely a couple of years. However, what are the ramifications if I am incorrect? Any directions on how to do this is appreciated.
I did find these links but am uncertain about actually performing the steps without getting input from experts here.
Thanks a lot