Solved

How to deal with Certificate Services whilst demoting a SBS 2003.

Posted on 2013-11-10
2
847 Views
Last Modified: 2013-11-18
Hi Guys,

I have a network with a single domain and 2 sites (A and B), domain functional level is Windows 2003 at the moment.

Site A has:

1. PDC running SBS 2003 (DHCP, DNS, Certificate Service) holding all FSMO roles
2. Windows 2008 R2 DC recently joined the network.

Site B has:

 1. DC running Windows 2003 R2 Standard


I planning to demote the SBS 2003 on site A in order to upgrade domain functional level to Windows 2008


What I did:

- Moved all FSMO roles from SBS 2003 to Windows 2008 R2

Now when trying to demote SBS 2003 by running 'dcpromo' I receive the following:

"Before you can install or remove Active Directory, you must remove Certificate Services"

I am not sure how important is the role of the certificate services on the network.
The SBS 2003 box was running Exchange 2003 years ago, but this has now been demoted.

How can I safely find out if I can just revoke the certificates and demote the SBS or
if I shall move the certificate services to the 2008 R2 DC box?

Thanks,
Rod
0
Comment
Question by:Rod_2012
2 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39636973
Just check in your Certificate server console under issued certificates, how many certificates you have issued and to whom.
You can check on hosts to which certs are issued and find out if they are still in use or not.
If issued certificates quantity is very less AND \ OR none of issued certificates are of use, you can directly uninstall CA server after taking backup.  
If there are huge certificates issued, probably you can follow below steps.
Backup Certificate Authority database and registry
Uninstall Certificate authority.Even if you uninstall CA role, all CA settings will still remains on the server.
Demote server from ADC to member server.Do not change the server hostname.
Reinstall certificate authority and restore the CA backup taken in previous step.
This will restore all your CA database up to date.
Alternatively you can backup CA on 2003 server and restore it on another server having 2003 OR 2008.
Do not change the CA server hostname in either case, otherwise you will face certificate CRL problem for already issued certificates.
Below is the MS documentation to carry this task
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope that helps
0
 

Author Closing Comment

by:Rod_2012
ID: 39656896
thank you
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now