question

DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 asked DanielKaliel-3171 answered

Error removing Certificate Authority role

We had a server with Server 2008 R2 on it. It used to be a certificate authority on the domain. We removed this role from the server, restarted a few times and then did an in-place upgrade on this server to 2012 R2. When the server came back online the CA role had returned but shows in a failed state.

We ran sfc /scannow and it reports no issues.

If we try to remove the role with server manager or via powershell with Remove-WindowsFeature -Name AD-Certificate we get the error:
"A prerequisite check for the AD-Certificate feature failed. 1. The status of the role services on the target machine could not be determined. Please retry. The error is The term 'Get-InternalAdcsConfigurationState' is not recognized as the name of a cmdlet."



windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered

We were able to solve it by installing some missing CA role features, not configuring the CA since we don't want it anymore and then removing the role.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DanielKaliel-3171 converted comment to answer

In-place upgrades are risky and never recommended because of (among other thing) corruption carry-forward. The cleaner much simpler method is to stand up a new one for replacement.


I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

Then at some point either after (if not already done) I'd recommend migrating sysvol replication from older FRS technology to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

--please don't forget to Accept as answer if the reply is helpful--





· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielKaliel-3171 avatar image DanielKaliel-3171 ·

First budget constraints prevent the standing up of a new server. But more than that, this server is not to be a domain controller or certificate authority, just a member server running a single task until budget constraints are eased so a new server can be stood up.

Given that, dcdiag /repadmin and anything domain controller related are not necessary here. All we are looking to do is cleanup the current in-place upgrade and fully remove the CA role from it. The rest of the infrastructure (CA's and domain controllers) are in good health.

0 Votes 0 ·
DSPatrick avatar image DSPatrick DanielKaliel-3171 ·

we are looking to do is cleanup the current in-place upgrade

From what you have described it doesn't look to be possible. Another option is to start a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness

--please don't forget to Accept as answer if the reply is helpful--









0 Votes 0 ·
DanielKaliel-3171 avatar image DanielKaliel-3171 DSPatrick ·

We were able to solve it by installing some missing CA role features, not configuring the CA since we don't want it anymore and then removing the role.

0 Votes 0 ·
DanielKaliel-3171 avatar image DanielKaliel-3171 DSPatrick ·

We were able to solve it by installing some missing CA role features, not configuring the CA since we don't want it anymore and then removing the role.

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered DanielKaliel-3171 commented

Hi,


If you have already installed the Active Directory Certificate Services (AD CS) before promoting the computer to a Domain Controller, you will have to remove the Certificate Services role first, and then add the AD DS role again.


If the Certificate Service was removed, no certificate can be issued and certificate revocation lists (CRLs) cannot be published.


I would suggest you first follow the steps in this KB article to move a certification authority to another server, then remove the AD CS role and promote the computer to a Domain Controller:


https://support.microsoft.com/en-us/kb/298138


Hope this helps.



Regards,
Vicky

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielKaliel-3171 avatar image DanielKaliel-3171 ·

That's not what we were looking to do. As I described we had already removed the CA role from this server and it came back after an in-place upgrade of the server. We solved the issue by adding missing CA components, not configuring the CA, and then removing the role again.

0 Votes 0 ·