before you can install or remove active directory you must remove certificate services

Hello all,

I am trying to put a silver bullet in a seemingly "dependency resilient multi headed hydra" of a server that I inherited.  It is a 2003 Domain Controller, and although I am wearing it down and weakening its importance by transferring its various roles to another 2012 Domain controller I have setup, this one last (hopefully) issue remains.

I have transferred the DHCP database and role, DNS, authoritative time server sync, Active Directory FSMO roles and re-targeted all static addressed Server/Hosts to the new 2012 DC.  Additionally I have left the 2003 Server off for a full 24 hours to flush or sus out any remaining gotcha's that may be hiding, and aside from finding a few computers that should not have static IP addresses, nothing has become apparent in that time.

So, I log into the 2003 DC and type in dcpromo loading the sliver bullet into the chamber and hit enter, I am presented with the following hard warning..."before you can install or remove active directory you must remove certificate services".  My questions are as follows...

1.  I would like to solve this issue with an as optimal Venn Diagram overlap of "least time spent on it" and "maintaining the functionality of Active Directory" as possible .

2.  Can I simply uninstall this CA service and not bother transferring it to the new DC?  This is preferable if possible and if it is unnecessary.  Does AD require this for basic FSMO & DNS functionality or general "business as usually" day to day internal network functionality?  Note, that this was off for 24 hours and nothing appeared to break.  We do not have any internal servers that require certificates, like MS Exchange or SharePoint.

3.  If I can not simply kill this service (and I am really hoping I can), what is the best way to transfer it somewhere else, that is not leaving it where it is (as I need to get rid of 2003), or moving it to the new DC, which apparently requires me to rename it to the name of the old DC, which is simply not going to happen because of the problems that would cause.

I read somewhere that if active directory is using SSL for basic functionality, removing this CA service will break things, how do I check if SSL is being used?

When I look at the list of currently issued certificates, 2/3 of them are expired (all EFS and two webserver ones - we dont have a webserver), the remaining ones are of the following certificate templates, Basic EFS (EFS) -allows data on disk to be encrypted, these are assigned to certain users, who I am guessing have elected to encrypt some of their stuff.  Then there is a certificate template for Domain Controller, which is assigned to our domain controllers.

It's really too bad Microsoft doesn't have a tool that can migrate this type of thing (at least that I have found yet).

Thanks
CnicNVAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Additionally I have left the 2003 Server off for a full 24 hours to flush or sus out any remaining gotcha's that may be hiding

This is not the best practice when doing this. Even if your clients are not pointing to this DC for DNS there are still references of the DC in the SRV records in DNS.

Can I simply uninstall this CA service and not bother transferring it to the new DC?
The first question i would have is, are you even using the Internal CA for anything? If you are then I would recommend transferring it to another MEMBER server not a DC. If you are not using the internal CA for anything then you can simply remove the role and decommission the 2003 DC.

If I can not simply kill this service (and I am really hoping I can), what is the best way to transfer it somewhere else, that is not leaving it where it is (as I need to get rid of 2003), or moving it to the new DC, which apparently requires me to rename it to the name of the old DC, which is simply not going to happen because of the problems that would cause.

As stated in my first comment you need to see if you still require this server Role. A DC is not dependent on having a CA role installed. This means you can move it to another MEMBER server if you still require this role.

Will
0
CnicNVAuthor Commented:
That's just it though, I am not sure if this CA server is being used for anything, in my first post, you see the type of issued certificates that it has issued thus far.  It seems like the domain controllers are being issued certificates for some reason, as well as a few users for file level encryption.  Also, how does one check to see if the active directory environment is using SSL for its basic functionality?

Thanks again
0
Will SzymkowskiSenior Solution ArchitectCommented:
I am not going to make that call if you are not 100% sure if you are using this or not. Personally there is a complete migration guide to move this to another server. If i were you and had any doubt i would just move the role to another server. Then demote the DC.

Use the link below to move the ADCS role.
https://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CnicNVAuthor Commented:
Ok thanks. I will try to figure out the best way to do this based on the current setup and evaluate the information in the link you have provided.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.