Did not demote old DC and now certutil returns it as authority

Last year I installed a new Dc on our network. The plan was to replace an older Server 2003 box and retire it. I transfered the FSMO roles to the new server and everything seemed to be working fine. I later took the old 2003 server out (it is still sitting here) and forgot to demote it. I have been getting some login problems as of late but everything else seem to be OK. I ran the cerutil and found that the network still has the old 2003 server as its authority for the domain.
The old server has been off for over a year and I am hesitant to turn it back on to demote it. I'm thinking it would try to sync very old stuff with the newer DC server. How do I get my newer DC to be the cert authority?
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
if you have not updated on the AD as stated in MS, it is probably still pointing to old CA and holding the same DNS name, there may be conflict. See excerpt
Removing the CA role service also removes the CA's configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.
Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.
btanExec ConsultantCommented:
the proper means are as stated in MS - the focus is to update the AD information accurate that the old CA is not of existence hence the steps involving the "decom" is critical to also also get all client machine knowing the new AIA and CDP

another MS link that is useful and summed up key notes for the shift over that you should be aware. Here is one f the many, do consider reading and see if any steps not taken and my advice, assess and have operational stakeholder involved as this may also pre-empt for downtime if needed
Some registry values are associated with the CA, while others are associated with the domain environment, the physical host computer, the Windows version, or even other role services. Consequently, some registry parameters should be migrated without changes from the source CA computer and others should not. Any value that is not listed in the .reg text file that is restored on the target CA retains its existing setting or default value.
dsimpson2Author Commented:
Thank you for your reply.
Will bringing the old server (CA) back into the the network after one year of being off cause any problems with the network?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.