Avatar of sagdoc

asked on 

Issues demoting a Domain Controller role on a server that also has the Enterprise sub CA role.

I have an old Active Directory domain controller that also is an Enterprise Subordinate CA server.  Our only PIV engineer left so we don't have a lot of experience with this.  This subordinate CA server only seems to be involved in issuing the Domain Controller Certs.  I don't know why he put it on a DC but that is what I have.

I would like to demote this server as a Domain Controller only and leave the CA services installed for now.  If I demote the DC, remove the Domain Services and DNS roles but leave the machine in the domain with the CA services roles intact would that cause any issues relating to the CA process?  I have read several articles on this and some say it could cause issues and others say that id doesn't.  

* PKI CERTIFICATESActive Directory

Avatar of undefined
Last Comment
Adam Brown

8/22/2022 - Mon