Link to home
Start Free TrialLog in
Avatar of king daddy
king daddyFlag for United States of America

asked on

dcpromo cert issue 2003 R2


went to demote a 2003 R2 DC and got the "you must remove cert..." message. Opened up cert authority from admin tools and a red icon was displayed next to the server name. Right-clicked then chose properties and it showed a message stating that cert services was stopped. Then I right-clicked cert authority, chose retarget..., another server was offered so I chose it. It displayed a green check. Nothing in revoked, issued, or failed folders. Had 140 items in the Pending Requests folder. One entry was as recent as a few days ago, first entry was from 2009. Opened cert manager on my desktop and saw two certs from domain cert authority. One cert was from the cert authority where cert services was stopped - it expired in 2010. The other cert was from the other cert authority (green check one) - it expires in 2014 I think (either way, it had not yet expired).

So, can I remove the cert role from the cert authority which showed that cert services aren't even running so I can continue with the dcpromo? I am fairly certain no certs have been distributed from this server, especially since cert services has been stopped for what is likely a couple of years. However, what are the ramifications if I am incorrect? Any directions on how to do this is appreciated.

I did find these links but am uncertain about actually performing the steps without getting input from experts here.

Thanks a lot
Avatar of Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of king daddy


Will do. Thanks.
all servers are the same. One expired cert (2010) from the DC I want to decommission and one valid cert (expires 2014) from another server in the network. However, the server handing out certs as a CA is our old exchange 2003 server. I am going to take that down in the next week or so as we have already migrated to exchange 2010. That said, I feel as though I need to move the CA to a dedicated machine. Another thing I noticed was that the current CA has no Certificate Templates folder, yet the old CA does.

I guess I can take it off the network for a night and see what happens.

Any thoughts / direction appreciated.

I just went to check a new DC I added yesterday and event viewer had two errors regarding cert enrollment. Event ID 13 and then Event ID 6, CertificateServicesClient-CertEnroll. The general information showed an error for the old CA, which has cert services disabled.

13 = Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from BU1.domain.local\bu1 (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

6 = Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
found this and ran it on the new DC mentioned in the post above. All ran successful. No errors reported in event viewer. There were two cert services events logged, Event 65, then Event 64, both showing successful authentication and then update of policy from policy server.

I wonder if that means I can run this on all servers and then remove cert services from the old DC I want to demote / decommission...
this is what I did. Ran a backup. Disabled the NIC for several hours (it's a VM). Checked all servers. Saw expired cert from this machine and active cert from another. Also noticed that servers were getting time from the server I want to demote. Event viewer showed they were now getting time from the PDC, after a few hours. Also noticed the server I want to demote was the Inter-Site Topology Generator. Read that after 60 minutes another server will take on this. One of my 08 R2 DCs did. Re-enabled NIC for a couple of hours. Followed directions in link above from Waited a couple of hours and saw no errors popping up. Went to server I want to demote and removed cert services from windows components in control panel > add / remove programs. Rebooted. Waited a couple of hours, no issues. Proceeded with dcpromo and all went well. However, I did need to resync the server to a time source. When I ran the w32 command to do so, event viewer showed it synced to and not to the PDC. I need to check that out, but may not since I am decommissioning the server next week anyway.