locked
Demoting a Domain Controller with a CA on it RRS feed

  • Question

  • I inherited this network.  The servers all run 2003 but at the 2000 sp2 functional level.

    I have a domain controller that I wish to demote to a member server.  It hosts our SQL Server backend and there is no reason for it to be a DC.  

    Here's my problem.  The DC in quiestion hosts a Certificate Authority.  We have a small network and don't have much need for certificates.  The only time I've found I use one is when I log onto our firewall; it was shut down for a week and no one missed it.

    Can I just remove the CA, demote the DC, and then resintall the CA?  I've gathered that it's better for CA's to be on non DC servers.

    Thanks.
    Wednesday, September 17, 2008 6:06 PM

All replies

  •  

    Hi,

     

    To demote a Domain Controller hosting Certificate Authority, you need to perform the following steps:

     

    1.    Backup the CA.

    2.    Uninstall CA.

    3.    Demote the DC.

    4.    Install the CA from backup.

     

    I’ve included the following articles for your reference:

     

    Back up a certification authority

    http://technet.microsoft.com/en-us/library/cc737405.aspx

     

    HOWTO: Move a certificate authority to a new server running on a domain controller.

    http://support.microsoft.com/kb/555012

     

    How to move a certification authority to another server

    http://support.microsoft.com/?id=298138

     

    Performing the Upgrade or Migration

    http://technet.microsoft.com/en-us/library/cc742388.aspx

    • Marked as answer by Joson Zhou Wednesday, September 24, 2008 6:12 AM
    • Unmarked as answer by JohnDMP Thursday, September 25, 2008 12:47 PM
    • Proposed as answer by Thiago.Pereira Friday, October 30, 2009 4:05 PM
    Friday, September 19, 2008 8:10 AM
  • Thank you.  I backed up my CA with no problem.  One article mentions backing up/restoring the CA configurations.  I'm thinking this might mean registry data.  Is this included in the CA backup or do I need to do an additional backup of the configuration?

    Monday, September 22, 2008 7:47 PM
  • Thank you.  I backed up my CA with no problem.  One article mentions backing up/restoring the CA configurations.  I'm thinking this might mean registry data.  Is this included in the CA backup or do I need to do an additional backup of the configuration?

    Monday, September 22, 2008 7:47 PM
  • When following this step:
    3. Save the registry settings for this CA. To do this, follow these steps:
    a. Click Start, click Run, type regedit in the Open box, and then click OK.
    b. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
    There IS NO such key on my system.
    Tuesday, September 23, 2008 6:48 PM
  • D'OH....was looking on the wrong server....should be all set now....
    Tuesday, September 23, 2008 8:44 PM
  • Here's my problem.

    I get all the way to restoring the backup:
    b. Click Next, and then click Private key and CA certificate.
    c. Click Certificate database and certificate database log.
    d. Type the backup folder location, and then click Next.

    I browse to the location where I backed up my database and I am told the files are not there.  I can see the database in win explorer but the restore wizard won't recognize them.

    What's up with that????
    Thursday, September 25, 2008 12:48 PM
  •  

    Hi,

     

    Please confirm whether you have backed up the Private key and CA certificate and a .p12 file exists in the backup folder.

    Monday, September 29, 2008 9:12 AM
  • Yes, yes, and yes.
    Monday, September 29, 2008 12:24 PM
  • ANYONE have any idea why I can't restore this database?
    Friday, October 3, 2008 2:39 PM
  • I was able to restore the Private Key & CA Certificate but NOT the Certificate database & Database log.

    I still get a warning when I try to access my firewall device via the internet telling me the certificate is not right.
    Friday, October 3, 2008 2:59 PM