2012R2 server AD Certificate Services

Hi Experts,

We have a 2012R2 DC which has AD Certificate Services installed on it. The certificates that have been issued seem only to be to Domain Controllers. We are trying to decom this server and wanted to see if uninstalling Certificate Services on that server would break anything?

Thanks
abhijitm00Asked:
Who is Participating?
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Do you have a new Certificate Server that you have already stood up to replace the existing?
Have you set the Certificate server to not have any templates for which it is issuing certificates?
Have you set the anticipated life-span for it's Certificate Revocation List to be longer than the expiration date of it's current CA certificate?
Hmm, seems to me I saw a decent CA retirement checklist on Microsoft's site somewhat recently.  I'll see if I can dig that up for you.
(How to decommission a Windows enterprise certification authority and remove all related objects)
0
 
Dariusz TykaICT Infrastructure Specialist Senior Commented:
You can uninstall active directory certificate  services but you should follow the procedure for decommissioning CA.  See link below which describes in details all steps necessary to remove AD certificate service:
https://technet.microsoft.com/en-us/library/cc771494(v=ws.11).aspx
0
 
abhijitm00Author Commented:
Great. Thank you both, I will review these articles
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
abhijitm00Author Commented:
Would you know the process to migrate cert services to 2016? Thanks
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Unfortunately I haven't done a lot with 2016 yet, and don't have ADCS up on 2016 either.  I would assume the migration would be materially equivalent to migrating to 2012 R2...
0
 
abhijitm00Author Commented:
Thanks Rich. Have you come across a scenario where the ADCS server was removed or crashed and it has affected AD adversely?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> Have you come across a scenario where the ADCS server was removed or crashed and it has affected AD adversely?
I have not.  (I'm uncertain whether to say, 'Fortunately', or 'Unfortunately'.  I'm leaning toward the former.)  I've had three production environments, and half a dozen or so test/lab environments, and haven't run into a problem...  If the ADCS server is unavailable for whatever reason, I wouldn't expect the first problems to appear until the CRL expires, and I've found that more software doesn't check the CRL than checks it.   Most of the time, after that, things will warn that the certificate will expire, but automated processes whcih can't respond to the warning, fail.  (And when stuff does check... it seems most of the time it just times out silently and continues if it can't find a CRL.)  That said, I certainly wouldn't take my experience as necessarily typical.
0
 
abhijitm00Author Commented:
Uninstalled Certificate Services from server
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.