<div>
First at all...<br>You can migrate a certificate authority from one server to another. Some of the settings are stored on the CA server, other in AD. Not the biggest job. <br>What is the best way depends a bit from the certificates you have issued. If you have a lot of certificates out, you possibly have to think about how to handle this. If you are talking about a few ones, you can even build up a new CA, but all old certificates stay valid, but cannot find a revocation list anymore as well as there associated AIA records, what can produce some other trouble. A new certificate authoruity means, you need to replace all issued certs. New Root cert and everything existant is for the trash. <br><br>So the strategy depend a bit, if this server should be DC demoted and the CA shoud stay on it as a member server, or just to move te cert authority to a different server. <br>It depends also from the fact, if your certificate contain hardcoded names like AIA or CDP records, which may point to server names instead of alias names. &nbsp; <br><br>1.) DCs <br>If the DCs takes certificates from your CA, I would be carefully. As these certificates have a very short lifetime, they will invalidate in a short time. If you have an imapct depends from other settings. If you have enforced that all traffic has to be encrypted, you may run into major issues, as it can break communicationon several levels. <br>In that case, I would take care about your CA.<br>For single DCs it is not the biggest issue as there is no communication between DCs. Her you can also use self signed certs as they usually do as far as noch PKI was ever installed. <br>&nbsp;<br>2.) Clients<br>Hard to say whiout having seen it. The major question is, if you have enforced encryption. As encryption is certifiate related, you need a valid certificate. If encryption is optional, then the communication keep alive.<br>By default, a clients does not use certs for logon, but possibly for encryption of communication. <br><br>3.) DCs are enchanging data under each other.<br><br>4.) If you use file / drive encryption (i.e bit locker), than it is a good idea to have a recovery account. <br>If you don't use it, you do not need to take too much care.<br>An recocery account is connected to the CA, for which it was issued to. If this CA is dead, then the nobody is able to encrypt data using such a cert. If you are sure, that nobody has used them to encrypt something, than you can delete it. <br><br>Summary:<br>It is really hard to say, if you can shoot your CA to the moon or if you are on the way to sign your own retirement (becaused you shut down the network). There are a few dependencies. <br>The more save way would be, to keep it up and running just by moveing the service to a different machine. <br>You may have to take care about the AIA and CDP settings of your current certificates (you can see everything with the Enterprise PKI snap in). If there is something hardcoded (like URLs) you have either to replace them first by a DNS alias or to create an DNS alias to point somewhere else. If you are sure, your issued certs are fine, then you can move your CA savely. Otherwise you would have to correct the AIA / CDP settings and reissue all certs so that all servers have correct AIA / CDP settings. If you plan to put the current server completely out of order, you can also just correct is by adding an alias with the old server name, pointing to the new one. <br>If your CA is moved and working, the CA service on the DC is obsolet an can be put out of order. And then youi can demote the DC. <br><br>The Enterprise PKI may also give you the chance to possibly remove old settings from an older CA. <br>Everything else has to be removed manually especially if there is something left over in AD. <br><br>Revoking certs is not really neccessary, this is more a security issue. But as revoking invalidates the certs, you may observer, which services will stop. But also the issued certs in the CA will give you a clue, for what you have issued certs. The default user certificate templates have the file encryption usage enabled. So if you have issued certificates with this template, you never can be sure, if users havn't used it for file encryption. If you never issued user certs or Basis-EFS certs, then nobody ws able to encrypt. But if you revoke such certs, the user is not able anymore to decrypt his data. <br>Also a reason why better to move than just to uninstall / deinstall. <br>If you really decide to uninstall your current CA, it may be an idea to install a new one first, and if it is running, you can replace certs by issuing them from the new CA before switching off the old one. &nbsp;<br><br>
</div>


<div>
I was under the impression that since the CA server is installed on a domain controller, that I wouldn't be able to just move it to another server. &nbsp;That would actually be a good solution, can I just move it to another server if it's currently installed on a domain controller?&nbsp;
</div>


<div>
Yes, you can move a CA from one server to another whether its a DC or a member server.<br>1. Backup CA database and copy files and registry from old server.<br>2. Remove ADCS role from old server.<br>3. Install ADCS role on new server.<br>4. Restore registry, file and CA database to new server.<br><br>See also:&nbsp;<a href="https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server" rel="ugc">How to move a certification authority to another server - Windows Server | Microsoft Docs</a>&nbsp;
</div>


<div>
Yes, as Peter said, the moving is quite simple...<br>You can even can use this procedure to restore your CA on the same machine if you demoted the DC.<br>&nbsp;<br>You just have to care about the AIA / CDP settings. The default settings point usually to the AD, what stay valid after a move. If http links are used, then they may hard linked to the server name. YOu just should make sure, that a certificate doesn't point to a dead server (servicer without PKI).<br>Yuu can also have a look into your issued certs (on a client) and check the "CRL Distribution Points" and "Authority Information Access" properties in the cert details. If you find server names in there, &nbsp;you should take care. If you do not see server names, than everything is fine..<br><br>If you see server names, you have to make sure, that the clients can find them. If you move the CA, the CA has a new server name and the certs are pointing to the old one. If you take your old server out of order, then you can just add a DNS Alias for the old servername pointing on the new one. <br>If the old server name will stay present, you either have to move the CA back, or better you create a new alias name and changing the AIA / CDP settings to this new alias name. &nbsp;<br>It is best practise to use only alisas DNS names with CA server for AIA / CDP as you freely can move the CA without issues, just by point the alias to the current CA server.<br>&nbsp;<br>You can change the AIA / CDP records inside EnterprisePKI MMC snapin. After changing the setting, you should initiate a reissuing of all certs. Don't forget router or other devices, which may have got a cert from you PKI and will not automatically reissue. <br><br>Even if you move the PKI back to the original server, you should neutralise your PKI for the future. In that case, there is no need to reissue something (or you do it later), just to make sure that newly issued certs have a neutral name. <br>&nbsp;<a href="https://filedb.experts-exchange.com/incoming/2021/05_w21/1561749/EnterprisePKI.PNG" rel="ugc"><img src="https://filedb.experts-exchange.com/incoming/2021/05_w21/1561749/EnterprisePKI.PNG" class="fr-fic fr-dib"></a>
</div>


EnterprisePKI.PNG

Senior Network Systems Specialist

Peter Hutchison

<div>
I found <a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11)" rel="ugc">Active Directory Certificate Services Migration Guide for Windows Server 2012 R2 | Microsoft Docs</a>, it's for server 2012, but perhaps it will also apply to server 2016. &nbsp;It says "This guide can be used to migrate a CA from a source server that is also a domain controller to a destination server with a different name. However, migration of a domain controller is not covered by this guide. For information about Active Directory Domain Services (AD DS) migration, see&nbsp;<a href="https://go.microsoft.com/fwlink/?linkid=179357" rel="ugc">Active Directory Domain Services and DNS Server Migration Guide</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=179357" rel="ugc">https://go.microsoft.com/fwlink/?LinkId=179357</a>)." &nbsp;I also don't want to migrate the domain controller, only the CA, but it looks like it's perhaps pointing me in the right direction.
</div>


<div>
Actually after reading through the migration guide, running all the backups etc. and starting on the migration steps it said "Because computer names must be unique within an Active Directory domain, it is necessary to remove the source server from its domain and delete the associated computer account from Active Directory before joining the destination server to the domain." &nbsp;I need to keep the old server running because it's my DHCP and WSUS server. &nbsp;Is moving the CA different than migrating it?
</div>


<div>
looks like I'm back&nbsp;<em>Original KB number:</em>&nbsp; 2795825 which says to remove the CA role from the server, then demote the DC, then reinstall the CA role. &nbsp;Which also leads me back to the original question of what would happen if I revoked the domain controller certificates and removed the CA role from the server? &nbsp;Will the domain controllers stop communicating or will everything keep running and traffic just not be encrypted or something?
</div>


HogRing

<div>
Okay, so then I uninstall the certificate services role without revoking the certificates, and then after demotion I reinstall correct? &nbsp;<br><br>I still have the same question of what will happen when I do this?<br>What will happen when I remove the certificate services role from the server, there is no other CA server, are my domain controllers going to stop communicating with each other or are people not going to be able to log in to the network? &nbsp;I need to avoid causing down time.<br><br>
</div>


<div>
<div class="content wysiwyg-content fr-view">
I have a Server 2016 Domain Controller that is also running Certificate Services. &nbsp; I need to demote this domain controller and make it a member server. &nbsp;Just to give all the info, I've noticed in Active Directory Sites and Services that there are also references to a very old Certificate Services server (CA) that had a catastrophic failure many years ago and there are some lingering objects in Active Directory that still list this really old CA (not sure if that is going to affect my current issue). &nbsp; <br>My understanding is that I won't be able to demote this DC until I first uninstall the CA and that I should then reinstall it after the DC is demoted [see: <a href="https://social.technet.microsoft.com/Forums/en-US/afeb299d-3b4d-4a5b-9def-b33dd22e3a45/cant-demote-ad-ds-becasue-certificate-server-is-installed" rel="ugc nofollow">can't demote AD DS becasue Certificate Server is installed (microsoft.com)</a>]. &nbsp;I've read KB 889250 which tells me the first thing I need to do is revoke all active certificates that are issued by the CA. &nbsp;I loaded the Certificate Authority snap in in mmc and the Issued Certificates folder only shows certificates issued using the domain controller template. &nbsp;I don't think Certificate Services was ever fully implemented and doesn't seem to be doing much. &nbsp;Eight certificates were issued to domain controllers, three of them are expired and 5 are active. &nbsp;One of the 5 active certificates is for a DC that was recently decommissioned. &nbsp;The expired certificates only expired a few days ago (perhaps in conjunction with setting up a new DC?). &nbsp;<br>Since I need to first revoke those issued certificates, my questions are: <br>1. What is going to happen when I revoke the certificates? &nbsp;Are my domain controllers going to stop communicating with each other or are people not going to be able to log in to the network? &nbsp;<br>2. What will happen when I remove the certificate services role from the server, there is no other server that has this installed, will people lose the ability to login or something? &nbsp;Will it start having problems because that old certificate services server that failed sitll has references in sites and services?<br>3. What are those domain controller certificates used for, do I need them or can I just skip re-installing certificate services and go without it?<br>4. I noticed in the group policy that the really old certificate authority that failed must have issued a &nbsp;certificate to the domain administrator for file recovery. &nbsp;There is a group policy in Computer Configuration &gt; Windows Settings &gt; Security Settings &gt; Public Key Policies &gt; Encrypting File System that lists a certificate issued to Administrator which expired in 2008. &nbsp;The intended purpose listed is File Recovery. &nbsp;I'm note sure if I should be messing with this, since it's expired is it hurting anything being there, is there a risk in deleting it, I don't want to lose any encrypted files.
</div>
</div>



I have a Server 2016 Domain Controller that is also running Certificate Services.   I need to demote this domain controller and make it a member server.  Just to give all the info, I've noticed in Active Directory Sites and Services that there are also references to a very old Certificate Services server (CA) that had a catastrophic failure many years ago and there are some lingering objects in Active Directory that still list this really old CA (not sure if that is going to affect my current issue).  
My understanding is that I won't be able to demote this DC until I first uninstall the CA and that I should then reinstall it after the DC is demoted [see:
can't demote AD DS becasue Certificate Server is installed (microsoft.com)
].  I've read KB 889250 which tells me the first thing I need to do is revoke all active certificates that are issued by the CA.  I loaded the Certificate Authority snap in in mmc and the Issued Certificates folder only shows certificates issued using the domain controller template.  I don't think Certificate Services was ever fully implemented and doesn't seem to be doing much.  Eight certificates were issued to domain controllers, three of them are expired and 5 are active.  One of the 5 active certificates is for a DC that was recently decommissioned.  The expired certificates only expired a few days ago (perhaps in conjunction with setting up a new DC?).  
Since I need to first revoke those issued certificates, my questions are:
1. What is going to happen when I revoke the certificates?  Are my domain controllers going to stop communicating with each other or are people not going to be able to log in to the network?  
2. What will happen when I remove the certificate services role from the server, there is no other server that has this installed, will people lose the ability to login or something?  Will it start having problems because that old certificate services server that failed sitll has references in sites and services?
3. What are those domain controller certificates used for, do I need them or can I just skip re-installing certificate services and go without it?
4. I noticed in the group policy that the really old certificate authority that failed must have issued a  certificate to the domain administrator for file recovery.  There is a group policy in Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System that lists a certificate issued to Administrator which expired in 2008.  The intended purpose listed is File Recovery.  I'm note sure if I should be messing with this, since it's expired is it hurting anything being there, is there a risk in deleting it, I don't want to lose any encrypted files.

What happens when I revoke domain controller certificates and uninstall Active Directory Certificate Services from a domain controller?

certificate services

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.