Solved

Migrate or Remove CA Services when decommissioning last 2003 DC

Posted on 2014-03-27
5
228 Views
Last Modified: 2014-04-02
We have two 2008 R2 DC's and one 2003 R2 DC.  I am ready to demote and remove the 2003 DC from the domain but can't perform a DCPROMO because CA services are installed.    When I open Certification Authority|Issued Certificates, there are only 3 Certs that haven't expired and the Requester Name is "Domain\DC$".  Even all of the expired Certs have the same Requester Name.  I also followed these steps to backup the CA info:

http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_BackUpDB
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_BackUpReg

Based on this info, would it be better to migrate the CA to one of my 2008 DC's or just remove it?  Would this have any impact on Directory Services?

Thanks in advance,
0
Comment
Question by:RHNOC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39959530
First off, what are the certs used for? If you demote that server it can't be a CA anymore so you need to reissue them anyway.

If you don't use the certs for anything then its a non issue anyway.

Finally, It makes sense to move to 2008 CA Server anyway if you plan to issue certificates in the future as they will eventually expire.
0
 

Author Comment

by:RHNOC
ID: 39959546
To be honest, i'm not sure what those Certs are for and that's why I posted this.  They appear to be automatically created by the DC's and new ones are issued for each DC when the old ones expire.

Migrating to the 2008 DC seems safer than removing the CA altogether but I also would rather not migrate something that isn't being used.  I was hoping with some help, to identify the purpose of these Certs and if migrating the CA was necessary.
0
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 500 total points
ID: 39959573
Sounds like they are the auto generated root certificates created when you install certificate services. If you haven't generated any manual certificates and used them for SSL or other services you don't need these for anything.
0
 

Author Comment

by:RHNOC
ID: 39959652
So if I wanted to proceed with removing the CA.  Since I have made the necessary backups required to migrate, I could uninstall the CA.  Wait a few days to see if there are any issues or fallout from it.  If so, just migrate it to one of the 2008 DC's right?
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39959670
You could stop services and see. That said, most certificates once issued are no longer dependent on the root CA anyway.

For example if you issue a web server certificate you can disable the CA and not run into any issues until the certificate expires and you need to renew it. Even then it would only generate a browser warning saying its expired.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question