Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 934
  • Last Modified:

How to deal with Certificate Services whilst demoting a SBS 2003.

Hi Guys,

I have a network with a single domain and 2 sites (A and B), domain functional level is Windows 2003 at the moment.

Site A has:

1. PDC running SBS 2003 (DHCP, DNS, Certificate Service) holding all FSMO roles
2. Windows 2008 R2 DC recently joined the network.

Site B has:

 1. DC running Windows 2003 R2 Standard


I planning to demote the SBS 2003 on site A in order to upgrade domain functional level to Windows 2008


What I did:

- Moved all FSMO roles from SBS 2003 to Windows 2008 R2

Now when trying to demote SBS 2003 by running 'dcpromo' I receive the following:

"Before you can install or remove Active Directory, you must remove Certificate Services"

I am not sure how important is the role of the certificate services on the network.
The SBS 2003 box was running Exchange 2003 years ago, but this has now been demoted.

How can I safely find out if I can just revoke the certificates and demote the SBS or
if I shall move the certificate services to the 2008 R2 DC box?

Thanks,
Rod
0
Rodrigo Carrilho
Asked:
Rodrigo Carrilho
1 Solution
 
MaheshArchitectCommented:
Just check in your Certificate server console under issued certificates, how many certificates you have issued and to whom.
You can check on hosts to which certs are issued and find out if they are still in use or not.
If issued certificates quantity is very less AND \ OR none of issued certificates are of use, you can directly uninstall CA server after taking backup.  
If there are huge certificates issued, probably you can follow below steps.
Backup Certificate Authority database and registry
Uninstall Certificate authority.Even if you uninstall CA role, all CA settings will still remains on the server.
Demote server from ADC to member server.Do not change the server hostname.
Reinstall certificate authority and restore the CA backup taken in previous step.
This will restore all your CA database up to date.
Alternatively you can backup CA on 2003 server and restore it on another server having 2003 OR 2008.
Do not change the CA server hostname in either case, otherwise you will face certificate CRL problem for already issued certificates.
Below is the MS documentation to carry this task
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope that helps
0
 
Rodrigo CarrilhoAuthor Commented:
thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now