• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 662
  • Last Modified:

dcpromo cert issue 2003 R2


went to demote a 2003 R2 DC and got the "you must remove cert..." message. Opened up cert authority from admin tools and a red icon was displayed next to the server name. Right-clicked then chose properties and it showed a message stating that cert services was stopped. Then I right-clicked cert authority, chose retarget..., another server was offered so I chose it. It displayed a green check. Nothing in revoked, issued, or failed folders. Had 140 items in the Pending Requests folder. One entry was as recent as a few days ago, first entry was from 2009. Opened cert manager on my desktop and saw two certs from domain cert authority. One cert was from the cert authority where cert services was stopped - it expired in 2010. The other cert was from the other cert authority (green check one) - it expires in 2014 I think (either way, it had not yet expired).

So, can I remove the cert role from the cert authority which showed that cert services aren't even running so I can continue with the dcpromo? I am fairly certain no certs have been distributed from this server, especially since cert services has been stopped for what is likely a couple of years. However, what are the ramifications if I am incorrect? Any directions on how to do this is appreciated.

I did find these links but am uncertain about actually performing the steps without getting input from experts here.




Thanks a lot
king daddy
king daddy
  • 5
1 Solution
a cert authority is a unique authority on the certificates it creates. if you remove it and while valid certs are still in use, they will become invalid.

If you are sure none of your existing certs were issued by this CA you can consider removing it without a major headache.

I recommend making one final check on all servers using MMC>certificates>local computer account to see what certs are listed before doing anything.
king daddyAuthor Commented:
Will do. Thanks.
king daddyAuthor Commented:
all servers are the same. One expired cert (2010) from the DC I want to decommission and one valid cert (expires 2014) from another server in the network. However, the server handing out certs as a CA is our old exchange 2003 server. I am going to take that down in the next week or so as we have already migrated to exchange 2010. That said, I feel as though I need to move the CA to a dedicated machine. Another thing I noticed was that the current CA has no Certificate Templates folder, yet the old CA does.

I guess I can take it off the network for a night and see what happens.

Any thoughts / direction appreciated.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

king daddyAuthor Commented:
I just went to check a new DC I added yesterday and event viewer had two errors regarding cert enrollment. Event ID 13 and then Event ID 6, CertificateServicesClient-CertEnroll. The general information showed an error for the old CA, which has cert services disabled.

13 = Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from BU1.domain.local\bu1 (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

6 = Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
king daddyAuthor Commented:
found this and ran it on the new DC mentioned in the post above. All ran successful. No errors reported in event viewer. There were two cert services events logged, Event 65, then Event 64, both showing successful authentication and then update of policy from policy server.


I wonder if that means I can run this on all servers and then remove cert services from the old DC I want to demote / decommission...
king daddyAuthor Commented:
this is what I did. Ran a backup. Disabled the NIC for several hours (it's a VM). Checked all servers. Saw expired cert from this machine and active cert from another. Also noticed that servers were getting time from the server I want to demote. Event viewer showed they were now getting time from the PDC, after a few hours. Also noticed the server I want to demote was the Inter-Site Topology Generator. Read that after 60 minutes another server will take on this. One of my 08 R2 DCs did. Re-enabled NIC for a couple of hours. Followed directions in link above from petenetlive.com. Waited a couple of hours and saw no errors popping up. Went to server I want to demote and removed cert services from windows components in control panel > add / remove programs. Rebooted. Waited a couple of hours, no issues. Proceeded with dcpromo and all went well. However, I did need to resync the server to a time source. When I ran the w32 command to do so, event viewer showed it synced to nist.xxx.xxx and not to the PDC. I need to check that out, but may not since I am decommissioning the server next week anyway.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now