Solved

Demote certificate authority and change IP address

Posted on 2016-07-22
3
55 Views
Last Modified: 2016-07-25
Windows 2003 Domain Controller and enterprise certificate authority. I know not best practice. We would like to demote the domain controller and swap the IP address with a brand-new domain controller that we will build. The new DC will be a windows 2012R2.
The demoted domain controller will remain the sole certificate authority if this is possible (with a new IP).  

Is this possible?

Thank you
0
Comment
Question by:K B
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 26

Expert Comment

by:DrDave242
ID: 41725426
You can't demote a domain controller that has the Certificate Authority role installed, so if you want to keep that CA in your environment, you first have to migrate it to a different server. The steps for performing the migration are given here.

After the CA role has been migrated, you can demote the DC,
0
 
LVL 8

Author Comment

by:K B
ID: 41725548
Dr. Dave thank you very much for your reply.

Couple questions for you if I may.. Where did you learn this information?  I would love to be able to provide an article to my customer -- or did you just learn this while attempting to do the same thing?

We need to be able to retain the name of the domain controller in the unlikely event that it will need to be used (or promoted if we do demote it) again  -- the documentation was sparse so we have to play it safe.  

The CA migration procedures all say to reuse the original hostname.  

Ideas?

Thanks again.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 41727871
I'm pretty sure I originally encountered this while assisting a customer of mine with the same sort of thing - he was getting an error while trying to demote a DC that was also a CA. I believe the error said simply that you can't demote a DC that also holds the CA role. Further research showed that the CA role has to be uninstalled before the DC can be demoted, so if the CA isn't being removed from the environment completely, it has to be either moved to a different machine (if the current server is being decommissioned) or backed up, removed, and then restored after the demotion has completed.

This article is rather all-encompassing; it lists pretty much every scenario involving manipulating a CA and gives the steps involved (or links to them).

The CA migration procedures all say to reuse the original hostname.

That's not quite the case, but close. The article linked above mentions this:

When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.

The CA name has to remain the same in order for certificates that it's already issued to remain valid.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question