Solved

Demote certificate authority and change IP address

Posted on 2016-07-22
3
18 Views
Last Modified: 2016-07-25
Windows 2003 Domain Controller and enterprise certificate authority. I know not best practice. We would like to demote the domain controller and swap the IP address with a brand-new domain controller that we will build. The new DC will be a windows 2012R2.
The demoted domain controller will remain the sole certificate authority if this is possible (with a new IP).  

Is this possible?

Thank you
0
Comment
Question by:K B
  • 2
3 Comments
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
You can't demote a domain controller that has the Certificate Authority role installed, so if you want to keep that CA in your environment, you first have to migrate it to a different server. The steps for performing the migration are given here.

After the CA role has been migrated, you can demote the DC,
0
 
LVL 5

Author Comment

by:K B
Comment Utility
Dr. Dave thank you very much for your reply.

Couple questions for you if I may.. Where did you learn this information?  I would love to be able to provide an article to my customer -- or did you just learn this while attempting to do the same thing?

We need to be able to retain the name of the domain controller in the unlikely event that it will need to be used (or promoted if we do demote it) again  -- the documentation was sparse so we have to play it safe.  

The CA migration procedures all say to reuse the original hostname.  

Ideas?

Thanks again.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
Comment Utility
I'm pretty sure I originally encountered this while assisting a customer of mine with the same sort of thing - he was getting an error while trying to demote a DC that was also a CA. I believe the error said simply that you can't demote a DC that also holds the CA role. Further research showed that the CA role has to be uninstalled before the DC can be demoted, so if the CA isn't being removed from the environment completely, it has to be either moved to a different machine (if the current server is being decommissioned) or backed up, removed, and then restored after the demotion has completed.

This article is rather all-encompassing; it lists pretty much every scenario involving manipulating a CA and gives the steps involved (or links to them).

The CA migration procedures all say to reuse the original hostname.

That's not quite the case, but close. The article linked above mentions this:

When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.

The CA name has to remain the same in order for certificates that it's already issued to remain valid.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now