IAS and CA on 2003 DC - Migrate to 2008 or demote DC?
Question
Answers
-
First, you can't demote a DC with Exchange or CA on it. One of the caveats of using a DC for other purposes. Read the comments on it in the following threads:
TechNet: "Certificate Services, install on domain controller?" 09/06/2010
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/66cd9712-b44a-406b-b77f-07ee945bf80f
Quoted by Paul Adare, MVP: Security, in the thread above:
"Installing any additional role on a domain controller is not good from a
strict security perspective in that you want to try to minimize the attack
surface on your DCs. With AD CS you have another problem in that you cannot
remove Active Directory (in the event you want to decommission a DC for
example) without first removing AD CS from that DC."TechNet: "Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?" 09/7/2010
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042
Quoted from Sander Berfouwer, MVP, in the thread above:
"Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:
•After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
•Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
•Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
•You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default AD tombstone lifetime)
•It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.
The role is fairly easily moved to another server.-
Active Directory Certificate Services Migration Guide
Updated: March 6, 2011, Applies To: Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
Backing up a CA database and private key
Backing up CA registry settings
Backing up CAPolicy.inf
Removing the CA role service from the source serve
Removing the source server from the domain
Joining the destination server to the domain
Adding the CA role service to the destination server
Restoring the CA database and configuration on the destination server
Granting permissions on AIA and CDP containers
Additional procedures for failover clustering (optional)-
Certificate Services: Performing the Upgrade or Migration - Various migration options, including options for changing the name:
http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspxAce Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed as answer by Meinolf Weber Saturday, April 27, 2013 3:57 PM
- Marked as answer by Jeremy_Wu Monday, April 29, 2013 9:22 AM
All replies
-
First, you can't demote a DC with Exchange or CA on it. One of the caveats of using a DC for other purposes. Read the comments on it in the following threads:
TechNet: "Certificate Services, install on domain controller?" 09/06/2010
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/66cd9712-b44a-406b-b77f-07ee945bf80f
Quoted by Paul Adare, MVP: Security, in the thread above:
"Installing any additional role on a domain controller is not good from a
strict security perspective in that you want to try to minimize the attack
surface on your DCs. With AD CS you have another problem in that you cannot
remove Active Directory (in the event you want to decommission a DC for
example) without first removing AD CS from that DC."TechNet: "Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?" 09/7/2010
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042
Quoted from Sander Berfouwer, MVP, in the thread above:
"Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:
•After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
•Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
•Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
•You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default AD tombstone lifetime)
•It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.
The role is fairly easily moved to another server.-
Active Directory Certificate Services Migration Guide
Updated: March 6, 2011, Applies To: Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
Backing up a CA database and private key
Backing up CA registry settings
Backing up CAPolicy.inf
Removing the CA role service from the source serve
Removing the source server from the domain
Joining the destination server to the domain
Adding the CA role service to the destination server
Restoring the CA database and configuration on the destination server
Granting permissions on AIA and CDP containers
Additional procedures for failover clustering (optional)-
Certificate Services: Performing the Upgrade or Migration - Various migration options, including options for changing the name:
http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspxAce Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed as answer by Meinolf Weber Saturday, April 27, 2013 3:57 PM
- Marked as answer by Jeremy_Wu Monday, April 29, 2013 9:22 AM
-
Preferably, no.
You are welcome. Let us know how things turn out.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
That's what those links are about.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Gald to hear it worked out for you.
And yep, on 2003 and older, you need the installation media. With 2008 and newer, it stores the media in a folder for use later. I used to copy the i386 folder from NT4, 2000 and 2003 on all my servers to avoid having to dig around for the original media anytime I had to make changes. I also updated the i386 folder with the latest service packs anytime I updated the server so it's aligned with the SP level of the machine. The command is, assuming i386 is on C: drive: In a command prompt, navigate to the serive pack files, then run update /s:c:\
You may want to do the same to avoid having to look for the DVD and reapply an SP whenver you make changes.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
