Solved

Demoting a DC that has CA.

Posted on 2013-11-20
4
291 Views
Last Modified: 2014-01-09
Hello,
I currently have a domain controller that needs to be demoted, but currently has the Certificate Authority roll installed. When I try and run the uninstall for Cert', it asks for Server 2003 disk 2 for the install.exe file in order to continue. Has anyone run into this? The server is offsite and in the past I've tried to share out the Disk but it does not find that install file. I am currently in the process of upgrading my domain to 2008 and this server will remain a Windows 2003 file server/print server, but not a DC.
Thx!
0
Comment
Question by:bbwb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39663909
What is Os version ?
2003 with SP2 OR 2003 R2 with SP2
You can copy Windows server 2003 setup files + 2003 R2 setup files + 2003 SP2 setup files on CA server and then try uninstalling CA service.
It should work.
If still it fails, then backup CA certificate along with Certificate authority database and then forcefully remove Certificate authority from the server.

To backup CA server:
http://technet.microsoft.com/library/ee126140.aspx
http://support.microsoft.com/kb/298138

Use procedure mentioned in below MS article to forcefully remove CA
http://support.microsoft.com/kb/555151

Also check below article for more information
http://support.microsoft.com/kb/889250

Once you completed above procedure, hopefully you will be able to demote domain controller to member server

Now you can deploy new CA server if wanted to or you can have another server with same host name (you need to rename original server name) and install new CA role there with certificate backup taken above.

Thanks
0
 

Author Comment

by:bbwb
ID: 39666287
OS is 2003 R2 SP2.
0
 

Author Comment

by:bbwb
ID: 39712330
Unfortunately, when I put the disk in, there is no "install.exe" file that it wants. Is there another way to demote the server? Can I re-point certificate authority to another server, then delete it?
Thx!
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39712453
Can I re-point certificate authority to another server, then delete it?

There is no option to re-point the CA.
You can backup CA and restore it on another server having same hostname if you want to retain existing issued certificates.
If you are not using those issued certificates anymore or its quantity is very less, then you can restore it on server having different hostname
Note - Before restoring CA by above methods, it is mandatory that existing CA server must be decommissioned.
hence either you want to move CA server to different server OR If you want to demote DC gracefully \ forcefully, only option is to remove CA forcefully

Once CA server is removed, you can demote DC gracefully OR forcefully if find problem with graceful demotion.
For forceful demotion you can use dcpromo /forceremoval
Once removed AD from DC, just clean-up DC metadata from AD

if you fail to forcefully remove CA server role, then check below article
http://support.microsoft.com/kb/332199 if it might help to remove DC role from server.

If you fail to demote CA and DC role from server only option is to take server data backup with NTFS security, backup share permissions and format the server since it is also file server and join it as a member server.
Then restore data from backup, restore share and NTFS permissions and restore CA on another server.

Mahesh
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question