Akash Bansal
asked on
Do I need this active directory Certificate service or role for smooth working of network? I have demoted the previous DC without CA backup.
Windows 2012 R2 was installed with all FSMO role & windows essential service. (DC1)
I was having another DC with windows 2016 installed (ADC2)
Windows 2012 R2 was having some issue, so I decided to transfer FSMO roles to ADC2 https://www.dtonias.com/transfer-fsmo-roles-domain-controller/
So I successfully transferred all FSMO role to ADC2
Then I removed Windows essential service (as I was not using it) from DC1.
I forced demoted the DC1 ignoring warning that Certificate service is installed on DC.
I missed backing up CA as given on :https://social.technet.microsoft.com/Forums/windowsserver/en-US/d922860b-c8cd-4ed5-9b0b-05391c18afc0/demoting-a-domain-controller-with-a-ca-on-it
I never added any certificate on CA. In the network, MS exchange 2013 server is also running that is using public SSL certificate.
Do I need this active directory CA role or service for smooth working of network?
https://community.spiceworks.com/topic/373554-demote-a-dc-with-certificate-authority
Or I should ignore this & proceed to shutdown DC1.
I was having another DC with windows 2016 installed (ADC2)
Windows 2012 R2 was having some issue, so I decided to transfer FSMO roles to ADC2 https://www.dtonias.com/transfer-fsmo-roles-domain-controller/
So I successfully transferred all FSMO role to ADC2
Then I removed Windows essential service (as I was not using it) from DC1.
I forced demoted the DC1 ignoring warning that Certificate service is installed on DC.
I missed backing up CA as given on :https://social.technet.microsoft.com/Forums/windowsserver/en-US/d922860b-c8cd-4ed5-9b0b-05391c18afc0/demoting-a-domain-controller-with-a-ca-on-it
I never added any certificate on CA. In the network, MS exchange 2013 server is also running that is using public SSL certificate.
Do I need this active directory CA role or service for smooth working of network?
https://community.spiceworks.com/topic/373554-demote-a-dc-with-certificate-authority
Or I should ignore this & proceed to shutdown DC1.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello,
Its highly recommended to keep the CA outside of your domain controller.
Enterprise CA is preferred considering much more tighter integration with active directory and features like auto enrollment.
Cheers !
ASKER
Thanks for the quick solution.
I have configured CA at another non DC server.
I have configured CA at another non DC server.
May be worth to look at this similar question .
https://www.experts-exchange.com/questions/27923975/How-to-delete-dead-CA-properly-in-Windows-Server-2008-R2-Enterprise-PKI.html