Solved

Separate Certificate Services from Domain Controller on Windows Server 2012 R2

Posted on 2015-02-17
5
283 Views
Last Modified: 2015-02-20
I have a domain controller that I had setup and added certificate services. Now, I would like to demote my current certificate services server from a domain controller, but the demote process errors out because it has certificate services. I assume this is because I set up an Enterprise CA and an Enterprise CA needs to be on a domain controller. Is this correct?
0
Comment
Question by:byt3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40616009
This is not correct

Enterprise CA can be installed on member server, domain controller is not required.
Also you can't uninstall \ demote DC server until you remove CA role

To do what you are trying to: There are TWO options:
1st: backup CA database and export below registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
Uninstall CA server role from server
Demote domain controller to member server followed by reboot
Again reinstall CA server role on same server and restore database and CA registry

2nd option:
backup CA database and export below registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
Uninstall CA server role from server
Rename Domain controller to some else name
Prepare new member server with same name as old DC\CA server name
Install AD certificate services on that new member server and restore CA backup and registry

Check below articles for step by step
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
http://www.rebeladmin.com/2014/11/step-by-step-guide-to-migrate-active-directory-certificate-service-from-windows-server-2003-to-windows-server-2012-r2/
0
 
LVL 2

Author Comment

by:byt3
ID: 40617200
Thank you for the clarification and the how-to. The how-to suggests creating new templates for certificates to re-issue, does that mean currently issued certificates and created templates won't be migrated to the new server?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40618737
Already issued certificates cannot be migrated to new server, they are just part of certificate database as issued certs on source server and carry forwarded to new server when you restore database with same hostname and actual certificates with private key remains with users \ computers who requested it.
In fact no need to migrate them.

In case of templates, they also cannot be migrated as by default they are stored in AD and any custom templates you need to manually create again on target server
0
 
LVL 2

Author Comment

by:byt3
ID: 40619487
Here's another question: Am I correct in assuming that I can't demote the server, because the templates are stored in AD? And by putting the CA on a member server the templates will no longer be stored in AD?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40619505
No this is not correct

No matter whenever you put AD integrated CA on member server \ domain controller, certificate templates are always stored in active directory for use of anybody

U can't demote DC while CA is installed because this is restriction imposed by Microsoft, because while CA is installed removing DC role will break CA completely, hence they have put this restrictions
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question