I have a Server 2016 Domain Controller that is also running Certificate Services. I need to demote this domain controller and make it a member server. Just to give all the info, I've noticed in Active Directory Sites and Services that there are also references to a very old Certificate Services server (CA) that had a catastrophic failure many years ago and there are some lingering objects in Active Directory that still list this really old CA (not sure if that is going to affect my current issue).
My understanding is that I won't be able to demote this DC until I first uninstall the CA and that I should then reinstall it after the DC is demoted [see: can't demote AD DS becasue Certificate Server is installed (microsoft.com)
]. I've read KB 889250 which tells me the first thing I need to do is revoke all active certificates that are issued by the CA. I loaded the Certificate Authority snap in in mmc and the Issued Certificates folder only shows certificates issued using the domain controller template. I don't think Certificate Services was ever fully implemented and doesn't seem to be doing much. Eight certificates were issued to domain controllers, three of them are expired and 5 are active. One of the 5 active certificates is for a DC that was recently decommissioned. The expired certificates only expired a few days ago (perhaps in conjunction with setting up a new DC?).
Since I need to first revoke those issued certificates, my questions are:
1. What is going to happen when I revoke the certificates? Are my domain controllers going to stop communicating with each other or are people not going to be able to log in to the network?
2. What will happen when I remove the certificate services role from the server, there is no other server that has this installed, will people lose the ability to login or something? Will it start having problems because that old certificate services server that failed sitll has references in sites and services?
3. What are those domain controller certificates used for, do I need them or can I just skip re-installing certificate services and go without it?
4. I noticed in the group policy that the really old certificate authority that failed must have issued a certificate to the domain administrator for file recovery. There is a group policy in Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System that lists a certificate issued to Administrator which expired in 2008. The intended purpose listed is File Recovery. I'm note sure if I should be messing with this, since it's expired is it hurting anything being there, is there a risk in deleting it, I don't want to lose any encrypted files.