Solved

Demote certificate authority and change IP address

Posted on 2016-07-22
3
42 Views
Last Modified: 2016-07-25
Windows 2003 Domain Controller and enterprise certificate authority. I know not best practice. We would like to demote the domain controller and swap the IP address with a brand-new domain controller that we will build. The new DC will be a windows 2012R2.
The demoted domain controller will remain the sole certificate authority if this is possible (with a new IP).  

Is this possible?

Thank you
0
Comment
Question by:K B
  • 2
3 Comments
 
LVL 26

Expert Comment

by:DrDave242
ID: 41725426
You can't demote a domain controller that has the Certificate Authority role installed, so if you want to keep that CA in your environment, you first have to migrate it to a different server. The steps for performing the migration are given here.

After the CA role has been migrated, you can demote the DC,
0
 
LVL 7

Author Comment

by:K B
ID: 41725548
Dr. Dave thank you very much for your reply.

Couple questions for you if I may.. Where did you learn this information?  I would love to be able to provide an article to my customer -- or did you just learn this while attempting to do the same thing?

We need to be able to retain the name of the domain controller in the unlikely event that it will need to be used (or promoted if we do demote it) again  -- the documentation was sparse so we have to play it safe.  

The CA migration procedures all say to reuse the original hostname.  

Ideas?

Thanks again.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 41727871
I'm pretty sure I originally encountered this while assisting a customer of mine with the same sort of thing - he was getting an error while trying to demote a DC that was also a CA. I believe the error said simply that you can't demote a DC that also holds the CA role. Further research showed that the CA role has to be uninstalled before the DC can be demoted, so if the CA isn't being removed from the environment completely, it has to be either moved to a different machine (if the current server is being decommissioned) or backed up, removed, and then restored after the demotion has completed.

This article is rather all-encompassing; it lists pretty much every scenario involving manipulating a CA and gives the steps involved (or links to them).

The CA migration procedures all say to reuse the original hostname.

That's not quite the case, but close. The article linked above mentions this:

When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.

The CA name has to remain the same in order for certificates that it's already issued to remain valid.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question