Link to home
Start Free TrialLog in
Avatar of Akash Bansal
Akash BansalFlag for India

asked on

Do I need this active directory Certificate service or role for smooth working of network? I have demoted the previous DC without CA backup.

Windows 2012 R2 was installed with all FSMO role & windows essential service. (DC1)
I was having another DC with windows 2016 installed (ADC2)

Windows 2012 R2 was having some issue, so I decided to transfer FSMO roles to ADC2 https://www.dtonias.com/transfer-fsmo-roles-domain-controller/
So I successfully transferred all FSMO role to ADC2

Then I removed Windows essential service (as I was not using it) from DC1.

I forced demoted the DC1 ignoring warning that Certificate service is installed on DC.

I missed backing up CA  as given on :https://social.technet.microsoft.com/Forums/windowsserver/en-US/d922860b-c8cd-4ed5-9b0b-05391c18afc0/demoting-a-domain-controller-with-a-ca-on-it

I never added any certificate on CA. In the network, MS exchange 2013 server is also running that is using public SSL certificate.

Do I need this active directory CA role or service for smooth working of network?
https://community.spiceworks.com/topic/373554-demote-a-dc-with-certificate-authority

Or I should ignore this & proceed to shutdown DC1.
ASKER CERTIFIED SOLUTION
Avatar of Shabarinath TR
Shabarinath TR
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Akash Bansal

ASKER

Thanks for the quick support.

Please advise the CA configuration I need to do at DC2.


User generated image

User generated image

Hello,


Its highly recommended to keep the CA outside of your domain controller.

Enterprise CA is preferred considering much more tighter integration with active directory and features like auto enrollment.


Cheers !

Thanks for the quick solution.
I have configured CA at another non DC server.