Solved

Did not demote old DC and now certutil returns it as authority

Posted on 2014-12-19
3
179 Views
Last Modified: 2014-12-23
Last year I installed a new Dc on our network. The plan was to replace an older Server 2003 box and retire it. I transfered the FSMO roles to the new server and everything seemed to be working fine. I later took the old 2003 server out (it is still sitting here) and forgot to demote it. I have been getting some login problems as of late but everything else seem to be OK. I ran the cerutil and found that the network still has the old 2003 server as its authority for the domain.
The old server has been off for over a year and I am hesitant to turn it back on to demote it. I'm thinking it would try to sync very old stuff with the newer DC server. How do I get my newer DC to be the cert authority?
0
Comment
Question by:dsimpson2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40510375
the proper means are as stated in MS - the focus is to update the AD information accurate that the old CA is not of existence hence the steps involving the "decom" is critical to also also get all client machine knowing the new AIA and CDP
http://support.microsoft.com/kb/889250

another MS link that is useful and summed up key notes for the shift over that you should be aware. Here is one f the many, do consider reading and see if any steps not taken and my advice, assess and have operational stakeholder involved as this may also pre-empt for downtime if needed
Some registry values are associated with the CA, while others are associated with the domain environment, the physical host computer, the Windows version, or even other role services. Consequently, some registry parameters should be migrated without changes from the source CA computer and others should not. Any value that is not listed in the .reg text file that is restored on the target CA retains its existing setting or default value.
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
0
 

Author Comment

by:dsimpson2
ID: 40513779
Thank you for your reply.
Will bringing the old server (CA) back into the the network after one year of being off cause any problems with the network?
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40514209
if you have not updated on the AD as stated in MS, it is probably still pointing to old CA and holding the same DNS name, there may be conflict. See excerpt
Removing the CA role service also removes the CA's configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.
Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month4 days, 7 hours left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question