Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Did not demote old DC and now certutil returns it as authority

Posted on 2014-12-19
3
Medium Priority
?
201 Views
Last Modified: 2014-12-23
Last year I installed a new Dc on our network. The plan was to replace an older Server 2003 box and retire it. I transfered the FSMO roles to the new server and everything seemed to be working fine. I later took the old 2003 server out (it is still sitting here) and forgot to demote it. I have been getting some login problems as of late but everything else seem to be OK. I ran the cerutil and found that the network still has the old 2003 server as its authority for the domain.
The old server has been off for over a year and I am hesitant to turn it back on to demote it. I'm thinking it would try to sync very old stuff with the newer DC server. How do I get my newer DC to be the cert authority?
0
Comment
Question by:dsimpson2
  • 2
3 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40510375
the proper means are as stated in MS - the focus is to update the AD information accurate that the old CA is not of existence hence the steps involving the "decom" is critical to also also get all client machine knowing the new AIA and CDP
http://support.microsoft.com/kb/889250

another MS link that is useful and summed up key notes for the shift over that you should be aware. Here is one f the many, do consider reading and see if any steps not taken and my advice, assess and have operational stakeholder involved as this may also pre-empt for downtime if needed
Some registry values are associated with the CA, while others are associated with the domain environment, the physical host computer, the Windows version, or even other role services. Consequently, some registry parameters should be migrated without changes from the source CA computer and others should not. Any value that is not listed in the .reg text file that is restored on the target CA retains its existing setting or default value.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
0
 

Author Comment

by:dsimpson2
ID: 40513779
Thank you for your reply.
Will bringing the old server (CA) back into the the network after one year of being off cause any problems with the network?
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40514209
if you have not updated on the AD as stated in MS, it is probably still pointing to old CA and holding the same DNS name, there may be conflict. See excerpt
Removing the CA role service also removes the CA's configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.
Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question