Solved

Did not demote old DC and now certutil returns it as authority

Posted on 2014-12-19
3
170 Views
Last Modified: 2014-12-23
Last year I installed a new Dc on our network. The plan was to replace an older Server 2003 box and retire it. I transfered the FSMO roles to the new server and everything seemed to be working fine. I later took the old 2003 server out (it is still sitting here) and forgot to demote it. I have been getting some login problems as of late but everything else seem to be OK. I ran the cerutil and found that the network still has the old 2003 server as its authority for the domain.
The old server has been off for over a year and I am hesitant to turn it back on to demote it. I'm thinking it would try to sync very old stuff with the newer DC server. How do I get my newer DC to be the cert authority?
0
Comment
Question by:dsimpson2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40510375
the proper means are as stated in MS - the focus is to update the AD information accurate that the old CA is not of existence hence the steps involving the "decom" is critical to also also get all client machine knowing the new AIA and CDP
http://support.microsoft.com/kb/889250

another MS link that is useful and summed up key notes for the shift over that you should be aware. Here is one f the many, do consider reading and see if any steps not taken and my advice, assess and have operational stakeholder involved as this may also pre-empt for downtime if needed
Some registry values are associated with the CA, while others are associated with the domain environment, the physical host computer, the Windows version, or even other role services. Consequently, some registry parameters should be migrated without changes from the source CA computer and others should not. Any value that is not listed in the .reg text file that is restored on the target CA retains its existing setting or default value.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
0
 

Author Comment

by:dsimpson2
ID: 40513779
Thank you for your reply.
Will bringing the old server (CA) back into the the network after one year of being off cause any problems with the network?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40514209
if you have not updated on the AD as stated in MS, it is probably still pointing to old CA and holding the same DNS name, there may be conflict. See excerpt
Removing the CA role service also removes the CA's configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.
Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question