• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 90
  • Last Modified:

Demote certificate authority and change IP address

Windows 2003 Domain Controller and enterprise certificate authority. I know not best practice. We would like to demote the domain controller and swap the IP address with a brand-new domain controller that we will build. The new DC will be a windows 2012R2.
The demoted domain controller will remain the sole certificate authority if this is possible (with a new IP).  

Is this possible?

Thank you
0
K B
Asked:
K B
  • 2
1 Solution
 
DrDave242Commented:
You can't demote a domain controller that has the Certificate Authority role installed, so if you want to keep that CA in your environment, you first have to migrate it to a different server. The steps for performing the migration are given here.

After the CA role has been migrated, you can demote the DC,
0
 
K BAuthor Commented:
Dr. Dave thank you very much for your reply.

Couple questions for you if I may.. Where did you learn this information?  I would love to be able to provide an article to my customer -- or did you just learn this while attempting to do the same thing?

We need to be able to retain the name of the domain controller in the unlikely event that it will need to be used (or promoted if we do demote it) again  -- the documentation was sparse so we have to play it safe.  

The CA migration procedures all say to reuse the original hostname.  

Ideas?

Thanks again.
0
 
DrDave242Commented:
I'm pretty sure I originally encountered this while assisting a customer of mine with the same sort of thing - he was getting an error while trying to demote a DC that was also a CA. I believe the error said simply that you can't demote a DC that also holds the CA role. Further research showed that the CA role has to be uninstalled before the DC can be demoted, so if the CA isn't being removed from the environment completely, it has to be either moved to a different machine (if the current server is being decommissioned) or backed up, removed, and then restored after the demotion has completed.

This article is rather all-encompassing; it lists pretty much every scenario involving manipulating a CA and gives the steps involved (or links to them).

The CA migration procedures all say to reuse the original hostname.

That's not quite the case, but close. The article linked above mentions this:

When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.

The CA name has to remain the same in order for certificates that it's already issued to remain valid.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now