Avatar of king daddy
king daddyFlag for United States of America asked on

dcpromo cert issue 2003 R2


went to demote a 2003 R2 DC and got the "you must remove cert..." message. Opened up cert authority from admin tools and a red icon was displayed next to the server name. Right-clicked then chose properties and it showed a message stating that cert services was stopped. Then I right-clicked cert authority, chose retarget..., another server was offered so I chose it. It displayed a green check. Nothing in revoked, issued, or failed folders. Had 140 items in the Pending Requests folder. One entry was as recent as a few days ago, first entry was from 2009. Opened cert manager on my desktop and saw two certs from domain cert authority. One cert was from the cert authority where cert services was stopped - it expired in 2010. The other cert was from the other cert authority (green check one) - it expires in 2014 I think (either way, it had not yet expired).

So, can I remove the cert role from the cert authority which showed that cert services aren't even running so I can continue with the dcpromo? I am fairly certain no certs have been distributed from this server, especially since cert services has been stopped for what is likely a couple of years. However, what are the ramifications if I am incorrect? Any directions on how to do this is appreciated.

I did find these links but am uncertain about actually performing the steps without getting input from experts here.




Thanks a lot
Active DirectoryWindows Server 2003SSL / HTTPS

Avatar of undefined
Last Comment
king daddy

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
king daddy

Will do. Thanks.
king daddy

all servers are the same. One expired cert (2010) from the DC I want to decommission and one valid cert (expires 2014) from another server in the network. However, the server handing out certs as a CA is our old exchange 2003 server. I am going to take that down in the next week or so as we have already migrated to exchange 2010. That said, I feel as though I need to move the CA to a dedicated machine. Another thing I noticed was that the current CA has no Certificate Templates folder, yet the old CA does.

I guess I can take it off the network for a night and see what happens.

Any thoughts / direction appreciated.

king daddy

I just went to check a new DC I added yesterday and event viewer had two errors regarding cert enrollment. Event ID 13 and then Event ID 6, CertificateServicesClient-CertEnroll. The general information showed an error for the old CA, which has cert services disabled.

13 = Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from BU1.domain.local\bu1 (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

6 = Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
king daddy

found this and ran it on the new DC mentioned in the post above. All ran successful. No errors reported in event viewer. There were two cert services events logged, Event 65, then Event 64, both showing successful authentication and then update of policy from policy server.


I wonder if that means I can run this on all servers and then remove cert services from the old DC I want to demote / decommission...
king daddy

this is what I did. Ran a backup. Disabled the NIC for several hours (it's a VM). Checked all servers. Saw expired cert from this machine and active cert from another. Also noticed that servers were getting time from the server I want to demote. Event viewer showed they were now getting time from the PDC, after a few hours. Also noticed the server I want to demote was the Inter-Site Topology Generator. Read that after 60 minutes another server will take on this. One of my 08 R2 DCs did. Re-enabled NIC for a couple of hours. Followed directions in link above from petenetlive.com. Waited a couple of hours and saw no errors popping up. Went to server I want to demote and removed cert services from windows components in control panel > add / remove programs. Rebooted. Waited a couple of hours, no issues. Proceeded with dcpromo and all went well. However, I did need to resync the server to a time source. When I ran the w32 command to do so, event viewer showed it synced to nist.xxx.xxx and not to the PDC. I need to check that out, but may not since I am decommissioning the server next week anyway.