[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?

ADCS removal from DC

Posted on 2017-12-07
7
High Priority
?
28 Views
Last Modified: 2017-12-11
Hello,
We are upgrading our Domain controllers from 2008R2 to 2012R2 server but now running into an issue while trying to upgrade the last 2008R2 DC. This DC has the ADCS role installed and it's not allowing me to decommission this DC until the role is removed. We are unsure if this certificate server is being used at all and we suspect that it isn't. It looks like the admin before me did the basic setup but never configured auto enrollment with GPO. How can we tell if this cert server is being used and if not used can we simply remove the role and continue on with the upgrade process?
Thank you
ADCS-Server-Cert-Templates.PNG
ADCS-Server-Issued-Cert.PNG
0
Comment
Question by:Rajesh446
  • 3
  • 2
  • 2
7 Comments
 
LVL 19

Expert Comment

by:Zaheer Iqbal
In the CA snapin check for any issued certificates.
You can also backup the CA from the snapin.
Action Menu -->All Tasks..
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:Rajesh446
Thanks Zaheer.
We would like to discontinue using ADCS so how would we be able to get rid of it completely?
0
 
LVL 26

Expert Comment

by:Tom Cieslik
First at all you must be and Enterprise Admin group member

then:

To uninstall a CA
Click Start, point to Administrative Tools, and click Server Manager.
Under Roles Summary, click Remove Roles to start the Remove Roles Wizard. Click Next.
Clear the Active Directory Certificate Services check box, and click Next.
On the Confirm Removal Options page, review the information, and then click Remove.
If Internet Information Services (IIS) is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.
After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.
The procedure is slightly different if you have multiple Active Directory Certificate Services (AD CS) role services installed on a single server. You can use the following procedure to uninstall a CA but retain other AD CS role services.
You must log on with the same permissions as the user who installed the CA to complete this procedure. If you are uninstalling an enterprise CA, membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
To uninstall a CA role service
Click Start, point to Administrative Tools, and click Server Manager.
Under Roles Summary, click Active Directory Certificate Services.
Under Roles Services, click Remove Role Services.
Clear the Certification Authority check box, and click Next.
On the Confirm Removal Options page, review the information, and then click Remove.
If IIS is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.
After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.
If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.
After a CA has been uninstalled, the following information is left on the server:
The CA database

The CA public and private keys

The CA's certificates in the Personal store

The CA's certificates in the shared folder, if a shared folder was specified during AD CS setup

The CA chain's root certificate in the Trusted Root Certification Authorities store

The CA chain's intermediate certificates in the Intermediate Certification Authorities store

The CA's CRL
1
 

Author Comment

by:Rajesh446
We would like to discontinue using ADCS so how would we be able to get rid of it completely?
0
 
LVL 26

Expert Comment

by:Tom Cieslik
I just told you how.
After all steps all will be deleted and you going to be able decommission your DC server from your forest
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Join & Write a Comment

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question