dcpromo cert issue 2003 R2


went to demote a 2003 R2 DC and got the "you must remove cert..." message. Opened up cert authority from admin tools and a red icon was displayed next to the server name. Right-clicked then chose properties and it showed a message stating that cert services was stopped. Then I right-clicked cert authority, chose retarget..., another server was offered so I chose it. It displayed a green check. Nothing in revoked, issued, or failed folders. Had 140 items in the Pending Requests folder. One entry was as recent as a few days ago, first entry was from 2009. Opened cert manager on my desktop and saw two certs from domain cert authority. One cert was from the cert authority where cert services was stopped - it expired in 2010. The other cert was from the other cert authority (green check one) - it expires in 2014 I think (either way, it had not yet expired).

So, can I remove the cert role from the cert authority which showed that cert services aren't even running so I can continue with the dcpromo? I am fairly certain no certs have been distributed from this server, especially since cert services has been stopped for what is likely a couple of years. However, what are the ramifications if I am incorrect? Any directions on how to do this is appreciated.

I did find these links but am uncertain about actually performing the steps without getting input from experts here.




Thanks a lot
king daddyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

a cert authority is a unique authority on the certificates it creates. if you remove it and while valid certs are still in use, they will become invalid.

If you are sure none of your existing certs were issued by this CA you can consider removing it without a major headache.

I recommend making one final check on all servers using MMC>certificates>local computer account to see what certs are listed before doing anything.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
king daddyAuthor Commented:
Will do. Thanks.
king daddyAuthor Commented:
all servers are the same. One expired cert (2010) from the DC I want to decommission and one valid cert (expires 2014) from another server in the network. However, the server handing out certs as a CA is our old exchange 2003 server. I am going to take that down in the next week or so as we have already migrated to exchange 2010. That said, I feel as though I need to move the CA to a dedicated machine. Another thing I noticed was that the current CA has no Certificate Templates folder, yet the old CA does.

I guess I can take it off the network for a night and see what happens.

Any thoughts / direction appreciated.

Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

king daddyAuthor Commented:
I just went to check a new DC I added yesterday and event viewer had two errors regarding cert enrollment. Event ID 13 and then Event ID 6, CertificateServicesClient-CertEnroll. The general information showed an error for the old CA, which has cert services disabled.

13 = Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from BU1.domain.local\bu1 (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

6 = Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
king daddyAuthor Commented:
found this and ran it on the new DC mentioned in the post above. All ran successful. No errors reported in event viewer. There were two cert services events logged, Event 65, then Event 64, both showing successful authentication and then update of policy from policy server.


I wonder if that means I can run this on all servers and then remove cert services from the old DC I want to demote / decommission...
king daddyAuthor Commented:
this is what I did. Ran a backup. Disabled the NIC for several hours (it's a VM). Checked all servers. Saw expired cert from this machine and active cert from another. Also noticed that servers were getting time from the server I want to demote. Event viewer showed they were now getting time from the PDC, after a few hours. Also noticed the server I want to demote was the Inter-Site Topology Generator. Read that after 60 minutes another server will take on this. One of my 08 R2 DCs did. Re-enabled NIC for a couple of hours. Followed directions in link above from petenetlive.com. Waited a couple of hours and saw no errors popping up. Went to server I want to demote and removed cert services from windows components in control panel > add / remove programs. Rebooted. Waited a couple of hours, no issues. Proceeded with dcpromo and all went well. However, I did need to resync the server to a time source. When I ran the w32 command to do so, event viewer showed it synced to nist.xxx.xxx and not to the PDC. I need to check that out, but may not since I am decommissioning the server next week anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.