Solved

Demoting a DC that has CA.

Posted on 2013-11-20
4
280 Views
Last Modified: 2014-01-09
Hello,
I currently have a domain controller that needs to be demoted, but currently has the Certificate Authority roll installed. When I try and run the uninstall for Cert', it asks for Server 2003 disk 2 for the install.exe file in order to continue. Has anyone run into this? The server is offsite and in the past I've tried to share out the Disk but it does not find that install file. I am currently in the process of upgrading my domain to 2008 and this server will remain a Windows 2003 file server/print server, but not a DC.
Thx!
0
Comment
Question by:bbwb
  • 2
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39663909
What is Os version ?
2003 with SP2 OR 2003 R2 with SP2
You can copy Windows server 2003 setup files + 2003 R2 setup files + 2003 SP2 setup files on CA server and then try uninstalling CA service.
It should work.
If still it fails, then backup CA certificate along with Certificate authority database and then forcefully remove Certificate authority from the server.

To backup CA server:
http://technet.microsoft.com/library/ee126140.aspx
http://support.microsoft.com/kb/298138

Use procedure mentioned in below MS article to forcefully remove CA
http://support.microsoft.com/kb/555151

Also check below article for more information
http://support.microsoft.com/kb/889250

Once you completed above procedure, hopefully you will be able to demote domain controller to member server

Now you can deploy new CA server if wanted to or you can have another server with same host name (you need to rename original server name) and install new CA role there with certificate backup taken above.

Thanks
0
 

Author Comment

by:bbwb
ID: 39666287
OS is 2003 R2 SP2.
0
 

Author Comment

by:bbwb
ID: 39712330
Unfortunately, when I put the disk in, there is no "install.exe" file that it wants. Is there another way to demote the server? Can I re-point certificate authority to another server, then delete it?
Thx!
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39712453
Can I re-point certificate authority to another server, then delete it?

There is no option to re-point the CA.
You can backup CA and restore it on another server having same hostname if you want to retain existing issued certificates.
If you are not using those issued certificates anymore or its quantity is very less, then you can restore it on server having different hostname
Note - Before restoring CA by above methods, it is mandatory that existing CA server must be decommissioned.
hence either you want to move CA server to different server OR If you want to demote DC gracefully \ forcefully, only option is to remove CA forcefully

Once CA server is removed, you can demote DC gracefully OR forcefully if find problem with graceful demotion.
For forceful demotion you can use dcpromo /forceremoval
Once removed AD from DC, just clean-up DC metadata from AD

if you fail to forcefully remove CA server role, then check below article
http://support.microsoft.com/kb/332199 if it might help to remove DC role from server.

If you fail to demote CA and DC role from server only option is to take server data backup with NTFS security, backup share permissions and format the server since it is also file server and join it as a member server.
Then restore data from backup, restore share and NTFS permissions and restore CA on another server.

Mahesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now