?
Solved

ADCS removal from DC

Posted on 2017-12-07
8
High Priority
?
41 Views
Last Modified: 2017-12-26
Hello,
We are upgrading our Domain controllers from 2008R2 to 2012R2 server but now running into an issue while trying to upgrade the last 2008R2 DC. This DC has the ADCS role installed and it's not allowing me to decommission this DC until the role is removed. We are unsure if this certificate server is being used at all and we suspect that it isn't. It looks like the admin before me did the basic setup but never configured auto enrollment with GPO. How can we tell if this cert server is being used and if not used can we simply remove the role and continue on with the upgrade process?
Thank you
ADCS-Server-Cert-Templates.PNG
ADCS-Server-Issued-Cert.PNG
0
Comment
Question by:Rajesh446
  • 3
  • 3
  • 2
8 Comments
 
LVL 20

Expert Comment

by:Zaheer Iqbal
ID: 42395992
In the CA snapin check for any issued certificates.
You can also backup the CA from the snapin.
Action Menu -->All Tasks..
0
 
LVL 20

Expert Comment

by:Zaheer Iqbal
ID: 42396004
0
 
LVL 20

Assisted Solution

by:Zaheer Iqbal
Zaheer Iqbal earned 1500 total points (awarded by participants)
ID: 42396008
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 

Author Comment

by:Rajesh446
ID: 42396016
Thanks Zaheer.
We would like to discontinue using ADCS so how would we be able to get rid of it completely?
0
 
LVL 27

Accepted Solution

by:
Tom Cieslik earned 1500 total points (awarded by participants)
ID: 42396025
First at all you must be and Enterprise Admin group member

then:

To uninstall a CA
Click Start, point to Administrative Tools, and click Server Manager.
Under Roles Summary, click Remove Roles to start the Remove Roles Wizard. Click Next.
Clear the Active Directory Certificate Services check box, and click Next.
On the Confirm Removal Options page, review the information, and then click Remove.
If Internet Information Services (IIS) is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.
After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.
The procedure is slightly different if you have multiple Active Directory Certificate Services (AD CS) role services installed on a single server. You can use the following procedure to uninstall a CA but retain other AD CS role services.
You must log on with the same permissions as the user who installed the CA to complete this procedure. If you are uninstalling an enterprise CA, membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
To uninstall a CA role service
Click Start, point to Administrative Tools, and click Server Manager.
Under Roles Summary, click Active Directory Certificate Services.
Under Roles Services, click Remove Role Services.
Clear the Certification Authority check box, and click Next.
On the Confirm Removal Options page, review the information, and then click Remove.
If IIS is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.
After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.
If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.
After a CA has been uninstalled, the following information is left on the server:
The CA database

The CA public and private keys

The CA's certificates in the Personal store

The CA's certificates in the shared folder, if a shared folder was specified during AD CS setup

The CA chain's root certificate in the Trusted Root Certification Authorities store

The CA chain's intermediate certificates in the Intermediate Certification Authorities store

The CA's CRL
1
 

Author Comment

by:Rajesh446
ID: 42396063
We would like to discontinue using ADCS so how would we be able to get rid of it completely?
0
 
LVL 27

Expert Comment

by:Tom Cieslik
ID: 42396077
I just told you how.
After all steps all will be deleted and you going to be able decommission your DC server from your forest
0
 
LVL 27

Expert Comment

by:Tom Cieslik
ID: 42415157
Best solution provided. No more other questions from author
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question