RHNOC
asked on
Migrate or Remove CA Services when decommissioning last 2003 DC
We have two 2008 R2 DC's and one 2003 R2 DC. I am ready to demote and remove the 2003 DC from the domain but can't perform a DCPROMO because CA services are installed. When I open Certification Authority|Issued Certificates, there are only 3 Certs that haven't expired and the Requester Name is "Domain\DC$". Even all of the expired Certs have the same Requester Name. I also followed these steps to backup the CA info:
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_BackUpDB
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_BackUpReg
Based on this info, would it be better to migrate the CA to one of my 2008 DC's or just remove it? Would this have any impact on Directory Services?
Thanks in advance,
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_BackUpDB
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_BackUpReg
Based on this info, would it be better to migrate the CA to one of my 2008 DC's or just remove it? Would this have any impact on Directory Services?
Thanks in advance,
ASKER
To be honest, i'm not sure what those Certs are for and that's why I posted this. They appear to be automatically created by the DC's and new ones are issued for each DC when the old ones expire.
Migrating to the 2008 DC seems safer than removing the CA altogether but I also would rather not migrate something that isn't being used. I was hoping with some help, to identify the purpose of these Certs and if migrating the CA was necessary.
Migrating to the 2008 DC seems safer than removing the CA altogether but I also would rather not migrate something that isn't being used. I was hoping with some help, to identify the purpose of these Certs and if migrating the CA was necessary.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So if I wanted to proceed with removing the CA. Since I have made the necessary backups required to migrate, I could uninstall the CA. Wait a few days to see if there are any issues or fallout from it. If so, just migrate it to one of the 2008 DC's right?
You could stop services and see. That said, most certificates once issued are no longer dependent on the root CA anyway.
For example if you issue a web server certificate you can disable the CA and not run into any issues until the certificate expires and you need to renew it. Even then it would only generate a browser warning saying its expired.
For example if you issue a web server certificate you can disable the CA and not run into any issues until the certificate expires and you need to renew it. Even then it would only generate a browser warning saying its expired.
If you don't use the certs for anything then its a non issue anyway.
Finally, It makes sense to move to 2008 CA Server anyway if you plan to issue certificates in the future as they will eventually expire.