Decommissioning 2008r2 Active Directory Certificate Server


I'm upgrading all of our servers from 2008r2 to 2016. I have one server that I am looking to decommission, but am having some trouble.

This server was the primary 2008r2 Domain Controller. It had AD, DHCP, DNS, and AD certificate services installed on it. I have moved everything but ADCS.

When looking to dcpromo demote the server, I get an error that ADCS is running. I'm not sure how I can tell which certificates will break or which machines will continue functioning. Should I be migrating ADCS to another server, or can the infrastructure survive without ADCS?

I acquired this network/server setup, and haven't worked with ADCS before.

Please see the attached images with some description. I have omitted sensitive data, and have sorted by cert expiration date.

From research, I know that the User Basic EFS certificates are not used anymore, and can be skipped. We are also not using the deleted server for RAS/IAS Wlan. Lastly, we are not using the CA Exchange cert as we are using Office365 for everything.

Are the Domain Controller Authentication and Directory Email Replication certs okay to revoke, or will things break?

Thank you in advance!

Issued Certs
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From list its look like most of the certificates will be expired before this year end with exception of few which are domain controller certs
Domain controllers can leave happily without certificate authority
So in short you can simply uninstall CA server and forget it and then decommission DC as well

If you want to retain CA, you can follow simple steps below
backup Certificate Authority
uninstall Certificate authority
uninstall domain controller roe and convert CA into simple member server
Restore CA from backup
And you will back in business
If you cannot retain the same server, you can install new member server with same hostname as previous and restore CA from backup there
This way nothing will be impacted

U will find lots articles how to backup CA, how to restore it from backup, there are so many blogs including TechNet documentation is available on this topic

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff GloverSr. Systems AdministratorCommented:
To piggyback on what Mahesh said, If you need a new Internal CA running 2016, I would do exactly what he lists for retaining a CA but also would install Certificate services on a new 2016 server and install a new Root CA. Then in the old one, just remove all the templates. Wait until all the certs are no longer valid or replaced (for Domain controllers, you can just go to the DC and renew the certificate with a new key. It will get a new certificate from the New CA), then uninstall certificate services on the 2008 server and decommission it.
vcomtechAuthor Commented:
Thanks Mahesh and Jeff! I'm going to opt out of having an internal CA.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
certificate services

From novice to tech pro — start learning today.