Solved

Demoting a DC that has CA.

Posted on 2013-11-20
4
292 Views
Last Modified: 2014-01-09
Hello,
I currently have a domain controller that needs to be demoted, but currently has the Certificate Authority roll installed. When I try and run the uninstall for Cert', it asks for Server 2003 disk 2 for the install.exe file in order to continue. Has anyone run into this? The server is offsite and in the past I've tried to share out the Disk but it does not find that install file. I am currently in the process of upgrading my domain to 2008 and this server will remain a Windows 2003 file server/print server, but not a DC.
Thx!
0
Comment
Question by:bbwb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39663909
What is Os version ?
2003 with SP2 OR 2003 R2 with SP2
You can copy Windows server 2003 setup files + 2003 R2 setup files + 2003 SP2 setup files on CA server and then try uninstalling CA service.
It should work.
If still it fails, then backup CA certificate along with Certificate authority database and then forcefully remove Certificate authority from the server.

To backup CA server:
http://technet.microsoft.com/library/ee126140.aspx
http://support.microsoft.com/kb/298138

Use procedure mentioned in below MS article to forcefully remove CA
http://support.microsoft.com/kb/555151

Also check below article for more information
http://support.microsoft.com/kb/889250

Once you completed above procedure, hopefully you will be able to demote domain controller to member server

Now you can deploy new CA server if wanted to or you can have another server with same host name (you need to rename original server name) and install new CA role there with certificate backup taken above.

Thanks
0
 

Author Comment

by:bbwb
ID: 39666287
OS is 2003 R2 SP2.
0
 

Author Comment

by:bbwb
ID: 39712330
Unfortunately, when I put the disk in, there is no "install.exe" file that it wants. Is there another way to demote the server? Can I re-point certificate authority to another server, then delete it?
Thx!
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39712453
Can I re-point certificate authority to another server, then delete it?

There is no option to re-point the CA.
You can backup CA and restore it on another server having same hostname if you want to retain existing issued certificates.
If you are not using those issued certificates anymore or its quantity is very less, then you can restore it on server having different hostname
Note - Before restoring CA by above methods, it is mandatory that existing CA server must be decommissioned.
hence either you want to move CA server to different server OR If you want to demote DC gracefully \ forcefully, only option is to remove CA forcefully

Once CA server is removed, you can demote DC gracefully OR forcefully if find problem with graceful demotion.
For forceful demotion you can use dcpromo /forceremoval
Once removed AD from DC, just clean-up DC metadata from AD

if you fail to forcefully remove CA server role, then check below article
http://support.microsoft.com/kb/332199 if it might help to remove DC role from server.

If you fail to demote CA and DC role from server only option is to take server data backup with NTFS security, backup share permissions and format the server since it is also file server and join it as a member server.
Then restore data from backup, restore share and NTFS permissions and restore CA on another server.

Mahesh
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question