I am trying to put a silver bullet in a seemingly "dependency resilient multi headed hydra" of a server that I inherited. It is a 2003 Domain Controller, and although I am wearing it down and weakening its importance by transferring its various roles to another 2012 Domain controller I have setup, this one last (hopefully) issue remains.
I have transferred the DHCP database and role, DNS, authoritative time server sync, Active Directory FSMO roles and re-targeted all static addressed Server/Hosts to the new 2012 DC. Additionally I have left the 2003 Server off for a full 24 hours to flush or sus out any remaining gotcha's that may be hiding, and aside from finding a few computers that should not have static IP addresses, nothing has become apparent in that time.
So, I log into the 2003 DC and type in dcpromo loading the sliver bullet into the chamber and hit enter, I am presented with the following hard warning..."before you can install or remove active directory you must remove certificate services". My questions are as follows...
1. I would like to solve this issue with an as optimal Venn Diagram overlap of "least time spent on it" and "maintaining the functionality of Active Directory" as possible .
2. Can I simply uninstall this CA service and not bother transferring it to the new DC? This is preferable if possible and if it is unnecessary. Does AD require this for basic FSMO & DNS functionality or general "business as usually" day to day internal network functionality? Note, that this was off for 24 hours and nothing appeared to break. We do not have any internal servers that require certificates, like MS Exchange or SharePoint.
3. If I can not simply kill this service (and I am really hoping I can), what is the best way to transfer it somewhere else, that is not leaving it where it is (as I need to get rid of 2003), or moving it to the new DC, which apparently requires me to rename it to the name of the old DC, which is simply not going to happen because of the problems that would cause.
I read somewhere that if active directory is using SSL for basic functionality, removing this CA service will break things, how do I check if SSL is being used?
When I look at the list of currently issued certificates, 2/3 of them are expired (all EFS and two webserver ones - we dont have a webserver), the remaining ones are of the following certificate templates, Basic EFS (EFS) -allows data on disk to be encrypted, these are assigned to certain users, who I am guessing have elected to encrypt some of their stuff. Then there is a certificate template for Domain Controller, which is assigned to our domain controllers.
It's really too bad Microsoft doesn't have a tool that can migrate this type of thing (at least that I have found yet).