Need to decomish a Windows 2003 DC that has an Enterprise Root CA

We need to remove an Enterprise Root CA from a Windows 2003 DC so we can replace it with a Windows 2012 DC. We curently have two other Windows 2012 DC's on our domain one of which has the FSMO.
I understand it is best not to install the CA on a DC. so I need to know the steps to complete this process.
Slingshot51Asked:
Who is Participating?
 
aa-denverCommented:
Here is a comprehensive link.  

http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

It is a good thing you asked.  Many people just demote a DC with a CA and then remove it from AD, leaving a mess behind.  The CA has probably been issuing server certs that will break if you do this.

Basically you have to export the CA database and import it to another server that has the same name.   Follow the guidance in this article and you should be OK.

I would encourage you to spin up a test VM environment, Microsoft Hyper-V should be OK.  You can P2V the existing DC CA to that environment and then isolate the test server from the network before turning on the VM copy of the DC.  I always recommend going through a virtual trial run before doing something like this.
0
 
Slingshot51Author Commented:
Thank you for the information.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.