Solved

Did not demote old DC and now certutil returns it as authority

Posted on 2014-12-19
3
163 Views
Last Modified: 2014-12-23
Last year I installed a new Dc on our network. The plan was to replace an older Server 2003 box and retire it. I transfered the FSMO roles to the new server and everything seemed to be working fine. I later took the old 2003 server out (it is still sitting here) and forgot to demote it. I have been getting some login problems as of late but everything else seem to be OK. I ran the cerutil and found that the network still has the old 2003 server as its authority for the domain.
The old server has been off for over a year and I am hesitant to turn it back on to demote it. I'm thinking it would try to sync very old stuff with the newer DC server. How do I get my newer DC to be the cert authority?
0
Comment
Question by:dsimpson2
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40510375
the proper means are as stated in MS - the focus is to update the AD information accurate that the old CA is not of existence hence the steps involving the "decom" is critical to also also get all client machine knowing the new AIA and CDP
http://support.microsoft.com/kb/889250

another MS link that is useful and summed up key notes for the shift over that you should be aware. Here is one f the many, do consider reading and see if any steps not taken and my advice, assess and have operational stakeholder involved as this may also pre-empt for downtime if needed
Some registry values are associated with the CA, while others are associated with the domain environment, the physical host computer, the Windows version, or even other role services. Consequently, some registry parameters should be migrated without changes from the source CA computer and others should not. Any value that is not listed in the .reg text file that is restored on the target CA retains its existing setting or default value.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
0
 

Author Comment

by:dsimpson2
ID: 40513779
Thank you for your reply.
Will bringing the old server (CA) back into the the network after one year of being off cause any problems with the network?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40514209
if you have not updated on the AD as stated in MS, it is probably still pointing to old CA and holding the same DNS name, there may be conflict. See excerpt
Removing the CA role service also removes the CA's configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.
Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Resolve DNS query failed errors for Exchange
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question