locked
DCPROMO a CA failure RRS feed

  • Question

  • Hi, 

    I have a certificate authority installed but now I want to promote this server to a domain controller, however when i dcpromo it tells me that I need to remove certifcate services before I can dcpromo? I know its possible to have both on the same server so why does it insist I need to remove the CA before I can promote a DC?

    Thanks

    Geraint

    Wednesday, November 26, 2014 1:54 PM

Answers

  • It is against recommended practices to install the AD-DS role and the AD-CS role on the same machine. For security reasons (segregation of administration) and for manageability (what happen if you want to update your domain to the next version, you will have to decommission your DC but you can't either if there is a CA installed). Just don't go that way and keep them on 2 different hosts. If there is too much cost associated to this option, maybe look at the virtualization option (even though this one can also turn out quite expensive).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Frank Shen5 Friday, November 28, 2014 3:02 AM
    • Marked as answer by Frank Shen5 Monday, December 8, 2014 1:41 AM
    Wednesday, November 26, 2014 3:03 PM

All replies

  • It is against recommended practices to install the AD-DS role and the AD-CS role on the same machine. For security reasons (segregation of administration) and for manageability (what happen if you want to update your domain to the next version, you will have to decommission your DC but you can't either if there is a CA installed). Just don't go that way and keep them on 2 different hosts. If there is too much cost associated to this option, maybe look at the virtualization option (even though this one can also turn out quite expensive).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Frank Shen5 Friday, November 28, 2014 3:02 AM
    • Marked as answer by Frank Shen5 Monday, December 8, 2014 1:41 AM
    Wednesday, November 26, 2014 3:03 PM
  • Hi Geraint,

    Pierre is right. For both promoting a CA server to a DC or demote a DC with CA service role, we need to uninstall the CA role first. If you need further help regarding the question, please don't hesitate to let us know.

    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best regards,

    Frank Shen

    Friday, November 28, 2014 3:08 AM