none
try to demote a DC ,but Certification Authority unable to start

    Question

  • Hi,

    we plan to demote a old DC win2003 (just remove it as a DC and DNS, the server will continue use for other purposes) and found that it has CA on it(may be the only server that has CA in our environment). A server will take over its role will be a existing DC in 2008R2

    I read some articles, we should backup the CA first, then do demote and then reinstall it back.

    but we unable to back it up since the Microsoft Certification Service cannot be started with error code "0xc8000267 (ESE: -615) "

    what's the best way we can do? get the CA service working first? or we can transfer it to other server even the service cannot be started?  I am not sure we use any CA since it may be not running for a while and seems we don't have other issues reported.


    • Edited by beidog Thursday, May 16, 2013 9:08 PM
    Thursday, May 16, 2013 9:03 PM

Answers

  • make sure to make a ful backup of your server before trying this...

    in order to backup the CA without starting it you will probably have to manually backup the certificates on the server with the certutil.exe tool and export reg keys.

    something like: Certutil.exe –backupkey [CA installpath]

    1. Use the "Certutil.exe" to backup your certs manually to backup folder.

    2. backup the CA database files (copy / paste from "C:\Windows\System32\Certlog") to backup folder.

    3. Use "regedit" to export your CA reg keys to backup folder.

    4. Backup you backup folder onto a usb drive or another server

    5. uninstall CA

    6. demote DC

    7. install CA on same server:
        7.1 Use existing private key (select backed-up key from previous steps) 
        7.2 stop CA
        7.3 copy/paste & overwrite backup database files (backup to "C:\Windows\System32\Certlog")
        7.4 Start CA

    your server should be demoted now with an intact CA.


    Tuesday, May 21, 2013 11:59 AM

All replies

  • Hello,

    the CA MUST be uninstalled before you can demote the DC.

    http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/d922860b-c8cd-4ed5-9b0b-05391c18afc0

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, May 17, 2013 6:44 AM
  • Hi thanks for your reply. I read the post on the link you provided before I posted here.The post recommended to do the following four steps, but I was not be able to backup CA since it cannot be started. I can just uninstall it and demote DC, but i don't want to see any expected things happen.

                1.  Backup the CA.

    2.    Uninstall CA.

    3.    Demote the DC.

    4.    Install the CA from backup.

    Friday, May 17, 2013 3:19 PM
  • make sure to make a ful backup of your server before trying this...

    in order to backup the CA without starting it you will probably have to manually backup the certificates on the server with the certutil.exe tool and export reg keys.

    something like: Certutil.exe –backupkey [CA installpath]

    1. Use the "Certutil.exe" to backup your certs manually to backup folder.

    2. backup the CA database files (copy / paste from "C:\Windows\System32\Certlog") to backup folder.

    3. Use "regedit" to export your CA reg keys to backup folder.

    4. Backup you backup folder onto a usb drive or another server

    5. uninstall CA

    6. demote DC

    7. install CA on same server:
        7.1 Use existing private key (select backed-up key from previous steps) 
        7.2 stop CA
        7.3 copy/paste & overwrite backup database files (backup to "C:\Windows\System32\Certlog")
        7.4 Start CA

    your server should be demoted now with an intact CA.


    Tuesday, May 21, 2013 11:59 AM