Solved

How to deal with Certificate Services whilst demoting a SBS 2003.

Posted on 2013-11-10
2
872 Views
Last Modified: 2013-11-18
Hi Guys,

I have a network with a single domain and 2 sites (A and B), domain functional level is Windows 2003 at the moment.

Site A has:

1. PDC running SBS 2003 (DHCP, DNS, Certificate Service) holding all FSMO roles
2. Windows 2008 R2 DC recently joined the network.

Site B has:

 1. DC running Windows 2003 R2 Standard


I planning to demote the SBS 2003 on site A in order to upgrade domain functional level to Windows 2008


What I did:

- Moved all FSMO roles from SBS 2003 to Windows 2008 R2

Now when trying to demote SBS 2003 by running 'dcpromo' I receive the following:

"Before you can install or remove Active Directory, you must remove Certificate Services"

I am not sure how important is the role of the certificate services on the network.
The SBS 2003 box was running Exchange 2003 years ago, but this has now been demoted.

How can I safely find out if I can just revoke the certificates and demote the SBS or
if I shall move the certificate services to the 2008 R2 DC box?

Thanks,
Rod
0
Comment
Question by:Rod_2012
2 Comments
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39636973
Just check in your Certificate server console under issued certificates, how many certificates you have issued and to whom.
You can check on hosts to which certs are issued and find out if they are still in use or not.
If issued certificates quantity is very less AND \ OR none of issued certificates are of use, you can directly uninstall CA server after taking backup.  
If there are huge certificates issued, probably you can follow below steps.
Backup Certificate Authority database and registry
Uninstall Certificate authority.Even if you uninstall CA role, all CA settings will still remains on the server.
Demote server from ADC to member server.Do not change the server hostname.
Reinstall certificate authority and restore the CA backup taken in previous step.
This will restore all your CA database up to date.
Alternatively you can backup CA on 2003 server and restore it on another server having 2003 OR 2008.
Do not change the CA server hostname in either case, otherwise you will face certificate CRL problem for already issued certificates.
Below is the MS documentation to carry this task
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Hope that helps
0
 

Author Closing Comment

by:Rod_2012
ID: 39656896
thank you
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question