Removed AD Certificate services incorrectly

Dear Experts,

I'll make this long story as concise as possible:

I had Essentials Business Server 2008 until MS dropped it.  MS produced a "make it right" migration kit which stripped out the EBS features, leaving the servers as separate products. So after deploying the migration kit I had a windows 2008 DC, an exchange 2007 server (also on 2008) and an SQL server. The exchange server was also a DC as part of the default configuration of EBS.  

The domain has been working fine in this configuration for almost 3 years.  Now, I have a new vSphere server and am migrating the old physical servers over to VM servers. I have 2 x new DCs one of which has all of the FSMO roles. I have a new exchange server - all services are migrated and around half of the mailboxes (so far).  

According to the document that MS released with the migration kit, I needed to remove ADCS from the old DC prior to demoting it. So I followed the instructions telling me to backup the ADCS config etc and removed the role. Then I demoted the server to a member server and rebooted.

On starting up again, the print spooler failed but began working again on a stop/start.  Then users complained that they could not scan from a network MFP to a share on that server.  I checked the permissions on the share and I could see GUIDs of users but no names.  Also when I add a user to the ACL I cannot browse the domain - only the local server shows up.  So I rebooted again and everything was working as expected - scanning resumed and I could add domain users to shares etc. - but after about 15 minutes it all went bad again.  

Also every 48 hours or so, users that still have their mailboxes on the old exchange server lose access. At this point when I logon to the old exchange server, I am denied access. The server prompts that the credentials are incorrect. I have to restart the exchange server which will be good for another 48 hours before falling over again.

I believe this is down to the abrupt removal of the ADCS. I have discovered that the correct procedure should have been to decommission it according to

So I'm in  a world of trouble until I can fully complete the migration process for the remaining servers plus all of their 6TB of data.

Any recommendations?
Could I:
- Re-promote that server and restore ADCS then decommission it properly?
- Somehow broadcast that ADCS no longer available?
- Install ADCS on one of the new DCs and get it going that way?

Many thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
has nothing to do with Certificate Services but has to do with the  access to the domain controller(s) .. you will have to investigate this line of attack

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tech53Author Commented:
Really?  Ok, thanks for that.  I can ping the new DC from the old server ok, and the %logonserver% field point to the new DC also.  

Now, I did see at one point that a message flashed up stating that the "trust relationship between the station and the domain had failed".  This was during the reboot of the server and I assumed it might be something to do with the demoting process. On the second reboot I didn't see that message.

How can I test if the trust relationship is really broken?
tech53Author Commented:
UPDATE: I've just discovered that AD services did not come away cleanly.  In the server manager, AD services is still listed along with ADUC and AD sites.  I have just removed them and am pending a restart that I have to schedule.

DNS is also present and I will remove this also although I did point DNS on the local nic to the new DC.
tech53Author Commented:
Thanks David.  IT was nothing to do with ADCS as you suggested.  It was an unclean demotion of the DC that caused the issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.