Demote certificate authority and change IP address

Windows 2003 Domain Controller and enterprise certificate authority. I know not best practice. We would like to demote the domain controller and swap the IP address with a brand-new domain controller that we will build. The new DC will be a windows 2012R2.
The demoted domain controller will remain the sole certificate authority if this is possible (with a new IP).  

Is this possible?

Thank you
LVL 8
K BAsked:
Who is Participating?
 
DrDave242Connect With a Mentor Commented:
I'm pretty sure I originally encountered this while assisting a customer of mine with the same sort of thing - he was getting an error while trying to demote a DC that was also a CA. I believe the error said simply that you can't demote a DC that also holds the CA role. Further research showed that the CA role has to be uninstalled before the DC can be demoted, so if the CA isn't being removed from the environment completely, it has to be either moved to a different machine (if the current server is being decommissioned) or backed up, removed, and then restored after the demotion has completed.

This article is rather all-encompassing; it lists pretty much every scenario involving manipulating a CA and gives the steps involved (or links to them).

The CA migration procedures all say to reuse the original hostname.

That's not quite the case, but close. The article linked above mentions this:

When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.

The CA name has to remain the same in order for certificates that it's already issued to remain valid.
0
 
DrDave242Commented:
You can't demote a domain controller that has the Certificate Authority role installed, so if you want to keep that CA in your environment, you first have to migrate it to a different server. The steps for performing the migration are given here.

After the CA role has been migrated, you can demote the DC,
0
 
K BAuthor Commented:
Dr. Dave thank you very much for your reply.

Couple questions for you if I may.. Where did you learn this information?  I would love to be able to provide an article to my customer -- or did you just learn this while attempting to do the same thing?

We need to be able to retain the name of the domain controller in the unlikely event that it will need to be used (or promoted if we do demote it) again  -- the documentation was sparse so we have to play it safe.  

The CA migration procedures all say to reuse the original hostname.  

Ideas?

Thanks again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.