Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to deal with Certificate Services whilst demoting a SBS 2003.

Posted on 2013-11-10
2
Medium Priority
?
920 Views
Last Modified: 2013-11-18
Hi Guys,

I have a network with a single domain and 2 sites (A and B), domain functional level is Windows 2003 at the moment.

Site A has:

1. PDC running SBS 2003 (DHCP, DNS, Certificate Service) holding all FSMO roles
2. Windows 2008 R2 DC recently joined the network.

Site B has:

 1. DC running Windows 2003 R2 Standard


I planning to demote the SBS 2003 on site A in order to upgrade domain functional level to Windows 2008


What I did:

- Moved all FSMO roles from SBS 2003 to Windows 2008 R2

Now when trying to demote SBS 2003 by running 'dcpromo' I receive the following:

"Before you can install or remove Active Directory, you must remove Certificate Services"

I am not sure how important is the role of the certificate services on the network.
The SBS 2003 box was running Exchange 2003 years ago, but this has now been demoted.

How can I safely find out if I can just revoke the certificates and demote the SBS or
if I shall move the certificate services to the 2008 R2 DC box?

Thanks,
Rod
0
Comment
Question by:Rodrigo Carrilho
2 Comments
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39636973
Just check in your Certificate server console under issued certificates, how many certificates you have issued and to whom.
You can check on hosts to which certs are issued and find out if they are still in use or not.
If issued certificates quantity is very less AND \ OR none of issued certificates are of use, you can directly uninstall CA server after taking backup.  
If there are huge certificates issued, probably you can follow below steps.
Backup Certificate Authority database and registry
Uninstall Certificate authority.Even if you uninstall CA role, all CA settings will still remains on the server.
Demote server from ADC to member server.Do not change the server hostname.
Reinstall certificate authority and restore the CA backup taken in previous step.
This will restore all your CA database up to date.
Alternatively you can backup CA on 2003 server and restore it on another server having 2003 OR 2008.
Do not change the CA server hostname in either case, otherwise you will face certificate CRL problem for already issued certificates.
Below is the MS documentation to carry this task
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope that helps
0
 

Author Closing Comment

by:Rodrigo Carrilho
ID: 39656896
thank you
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question