Decomission DC cert authority

anything I don't mind · 24 Feb 2014 at 16:13

I am trying to decommission my first production DC. Its an old 2003 DC that has not been well maintained. I have already introduced a 2008 r2 sp1 DC in the forest and moved the roles over and complete the dc decommission checklist and tests found at:

http://technet.microsoft.com/en-us/library/cc755937(v=ws.10).aspx

At this point i have reached the dcpromo task and was expecting to uninstall the dc and have the job completed but it comes up with an error:

"Before you install or remove active directory, you must remove certificate services"

I can across this article that explains the process of removing the certificate authority from the dc:

http://support.microsoft.com/kb/889250/en-us

Now my question is: Would i not need to transfer this authority to another DC rather than just follow the instructions in the above article which basically stops and removes all certificates and uninstall's the certificate services?

Actually think i've just found the answer, http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx

Looks like the best solution is to rename the new DC to the same name as the old DC, to prevent having to reissue all the certs.

http://windowsitpro.com/windows/moving-certificate-authority-ca-another-dc

Short guide to the point. But as a mistake could lead to all clients having cert issues i am a bit apprehensive about it and in no rush..

anything I don't mind · 25 Feb 2014 at 12:15

Looking at the cert authority there is only 5 of 52 certificates that have not expired and they are for the other domain controllers and one for my own user account which i am not sure why it exists, its for EFS but i have never used the EFS. Either way there does not look to be a lot of active certs on there.

I am just looking in to the implications on actually just removing this cert authority and setting up a new one from scratch, from what i have read the computer objects will still work because they are not registered with the DC using the certs. But i read one forum where a guy messed up the cert services migration and this led to users not being able to login.

Ideally i would just uninstall the old cert authority and install a new one on the new DC And reissue the certs using the new dc as the common name. That way i don't need to worry about migrating any old legacy junk that does not need to be there any more. I am just not sure on how much impact that will have yet.

anything I don't mind · 25 Feb 2014 at 15:57

Its only a small site with 100 users and 4 dcs (3 once this one is turn off). 1 physical and 2 virtual. I plan to bring that down to 2 dc 1 physical 1 virtual and then 1 at DR side.

I don't think its used for anything than ad authentication. I remember a while ago they were using a domain certificate (the one found in IIS on the DC) from an external supplier. But when it came up for renewal i switched it to a self signed certificate as i know they are stopping issuing external certs for internal domains and its cheaper. I am not sure how that cert relates to it being a cert authority but on the other dcs we don't have IIS and the certifcate there. It looks like that cert is set up for the DC that i want to disable. So i would assume then i will need to regenerate the domain cert for the new dc hostname. It says issued by the Company name, rather than external company like thawte etc. So it must then be using the cert authority as the certificate issuer. So basically then i could just uninstall the cert authority, remove the dc shut it down. Install the cert authority on the new dc and issue a new internal certificate for the new dc.

In the default domain we have this policy setup:

Public Key Policies/Trusted Root Certification Authorities
Policy Setting
Allow users to select new root certification authorities (CAs) to trust
Enabled
Client computers can trust the following certificate stores
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria
Registered in Active Directory only

anything I don't mind · 26 Feb 2014 at 14:22

Thanks for such an informative reply. No documentation at all. As far as i am aware only one third party software is using ldap over port 636. I don't see any certificates in use for that host though. Does the use of secure ldap require the cert authority to be installed? I was not aware of that. If the cert authority is not required then I will not install it on the new server. The only sites in the IIS on the DC are sites about certificate authority.Under the IIS on the dc the default site, has cert control, cert enroll, certsrv sections.

I will have to update the MFD, xenapp and mimecast with the new domain controller address before decommission this dc, thanks for reminding me.

I would like to move over all the ldap connections to port 636 rather than 389.

anything I don't mind · 28 Feb 2014 at 12:28

I have uninstalled the cert authority and so far so good. I moved over the third party (mimecast) ldaps connection to the new dc without any problems. The cert authority was not actually in use as far as i can tell. But i kept a backup of it in case need to restore.