ADCS removal from DC

Hello,
We are upgrading our Domain controllers from 2008R2 to 2012R2 server but now running into an issue while trying to upgrade the last 2008R2 DC. This DC has the ADCS role installed and it's not allowing me to decommission this DC until the role is removed. We are unsure if this certificate server is being used at all and we suspect that it isn't. It looks like the admin before me did the basic setup but never configured auto enrollment with GPO. How can we tell if this cert server is being used and if not used can we simply remove the role and continue on with the upgrade process?
Thank you
ADCS-Server-Cert-Templates.PNG
ADCS-Server-Issued-Cert.PNG
Rajesh446Asked:
Who is Participating?
 
Tom CieslikIT EngineerCommented:
First at all you must be and Enterprise Admin group member

then:

To uninstall a CA
Click Start, point to Administrative Tools, and click Server Manager.
Under Roles Summary, click Remove Roles to start the Remove Roles Wizard. Click Next.
Clear the Active Directory Certificate Services check box, and click Next.
On the Confirm Removal Options page, review the information, and then click Remove.
If Internet Information Services (IIS) is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.
After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.
The procedure is slightly different if you have multiple Active Directory Certificate Services (AD CS) role services installed on a single server. You can use the following procedure to uninstall a CA but retain other AD CS role services.
You must log on with the same permissions as the user who installed the CA to complete this procedure. If you are uninstalling an enterprise CA, membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
To uninstall a CA role service
Click Start, point to Administrative Tools, and click Server Manager.
Under Roles Summary, click Active Directory Certificate Services.
Under Roles Services, click Remove Role Services.
Clear the Certification Authority check box, and click Next.
On the Confirm Removal Options page, review the information, and then click Remove.
If IIS is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.
After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.
If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.
After a CA has been uninstalled, the following information is left on the server:
The CA database

The CA public and private keys

The CA's certificates in the Personal store

The CA's certificates in the shared folder, if a shared folder was specified during AD CS setup

The CA chain's root certificate in the Trusted Root Certification Authorities store

The CA chain's intermediate certificates in the Intermediate Certification Authorities store

The CA's CRL
1
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
In the CA snapin check for any issued certificates.
You can also backup the CA from the snapin.
Action Menu -->All Tasks..
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
0
 
Rajesh446Author Commented:
Thanks Zaheer.
We would like to discontinue using ADCS so how would we be able to get rid of it completely?
0
 
Rajesh446Author Commented:
We would like to discontinue using ADCS so how would we be able to get rid of it completely?
0
 
Tom CieslikIT EngineerCommented:
I just told you how.
After all steps all will be deleted and you going to be able decommission your DC server from your forest
0
 
Tom CieslikIT EngineerCommented:
Best solution provided. No more other questions from author
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.