Solved

How to deal with Certificate Services whilst demoting a SBS 2003.

Posted on 2013-11-10
2
880 Views
Last Modified: 2013-11-18
Hi Guys,

I have a network with a single domain and 2 sites (A and B), domain functional level is Windows 2003 at the moment.

Site A has:

1. PDC running SBS 2003 (DHCP, DNS, Certificate Service) holding all FSMO roles
2. Windows 2008 R2 DC recently joined the network.

Site B has:

 1. DC running Windows 2003 R2 Standard


I planning to demote the SBS 2003 on site A in order to upgrade domain functional level to Windows 2008


What I did:

- Moved all FSMO roles from SBS 2003 to Windows 2008 R2

Now when trying to demote SBS 2003 by running 'dcpromo' I receive the following:

"Before you can install or remove Active Directory, you must remove Certificate Services"

I am not sure how important is the role of the certificate services on the network.
The SBS 2003 box was running Exchange 2003 years ago, but this has now been demoted.

How can I safely find out if I can just revoke the certificates and demote the SBS or
if I shall move the certificate services to the 2008 R2 DC box?

Thanks,
Rod
0
Comment
Question by:Rod_2012
2 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39636973
Just check in your Certificate server console under issued certificates, how many certificates you have issued and to whom.
You can check on hosts to which certs are issued and find out if they are still in use or not.
If issued certificates quantity is very less AND \ OR none of issued certificates are of use, you can directly uninstall CA server after taking backup.  
If there are huge certificates issued, probably you can follow below steps.
Backup Certificate Authority database and registry
Uninstall Certificate authority.Even if you uninstall CA role, all CA settings will still remains on the server.
Demote server from ADC to member server.Do not change the server hostname.
Reinstall certificate authority and restore the CA backup taken in previous step.
This will restore all your CA database up to date.
Alternatively you can backup CA on 2003 server and restore it on another server having 2003 OR 2008.
Do not change the CA server hostname in either case, otherwise you will face certificate CRL problem for already issued certificates.
Below is the MS documentation to carry this task
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope that helps
0
 

Author Closing Comment

by:Rod_2012
ID: 39656896
thank you
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Modify Permissions 19 62
Recover options for a failed domain. 4 47
BgInfo help 5 57
Configuring DNS Round Robin in Windows DNS server ? 8 65
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question