question

RobertWickberg-8404 avatar image
0 Votes"
RobertWickberg-8404 asked RobertWickberg-8404 commented

decommissioning a 2003 AD server

I'm updating a rather old AD infrastructure, there is one 2003 server left, I want to decommission it. DCpromo says I can't remove AD until I remove certificate services first. Cert services is running on this machine and one other, a 20008R2 server, each shows a different certificate authority name. I checked the certificates issued on both machines, the latter one seems to have issued most of them lately. Only domain controllers seem to have requested certificates, ever. This 2003 server only shows 4 certs that haven't expired by now, three with the template Computer (machine) and one with the template Domain Controller (DomainController).

So, are there any ramifications if I just uninstall the certificate services on this old machine? if so, is there a way to get the 4 domain controllers with currently active certificates from this old CA to get certs from the new CA instead, and is that doing enough, prior to uninstalling cert services so I can uninstall AD?

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered RobertWickberg-8404 commented

Hi,
Welcome to ask here!
As you mentioned above, if the DC (let's call it old DC) is also acting as ADCS server, we need to uninstall the CS role, and then demote it.

For the CA ROLE, let's consider the following situations:

1, First, we must make sure if the certs issued by the server is useful or not.
If you don't need the certs anymore, we may just revoke it and decommission the CA server.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

If you still need the certs, we need to migrate the CA server to another server.
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

If you can't make sure the 4 certs are useful or not. We can consider using another CA server issuing the certs to replace the those issued by the old DC. This wany, we don't need additional server for migration.

Check if another CA have the same templates with the old DCs.
If not, we can try to customer the templates on another CA and issue the certs.

For the DC role, we need to make sure there are more than one DCs working well in the domain, then we can demote this one.

Note: Remember to back up the DCs before the changes.


Feel free to let me know if you have any questions above the information provided.

Best Regards,

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The CA on the 2008R2 server do have the same templates as the one on 2003 I'm decommissioning. How would I get the clients to request new certificates from the new server?

II'm not worried about removing AD on this server, there are two other DCs that are also GC servers and none of the FSMO roles are on this server. This server isn't needed in the global scheme of AD, just don't know what can happen when I remove CA services.

0 Votes 0 ·

Hi,

Following advice for your reference:
1, Duplicate the templates with a different name, issue the template on the 2008 CA server.
2, Request the certs from the DCs. (Or configure auto-enroll on DCs for these 4 templates you mentioned above)
If the certs are successfully installed on the DCs, you can revoke the old one and decommissioning the 2003 CA server.

Best Regards,

0 Votes 0 ·

how do you tell the DC to request a cert? doesn't it just do that automatically when some role it's fulfilling requires one?

0 Votes 0 ·
Show more comments
DSPatrick avatar image
0 Votes"
DSPatrick answered

You can follow along here.
https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

--please don't forget to upvote and Accept as answer if the reply is helpful--





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered RobertWickberg-8404 commented

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well,t he article you cite says it's for server 2012 R2. Startiing in 2008, CS is integrated into AD, it's not in 2003, so things are a little different. Also, I still don't know how to tell if the unexpired certs are needed or not, so I'm starting to look at FanFan's advice, recreating them on the other CA.

If I use this CA to revoke the certificates using the instructions in the article you cite, would the servers that requested those certs see that their certs were revoked and ask for new ones? in that case, how do I make sure they request new certs from the other CA? If I stop this CA, how would the 4 servers affected see the CRLs that tell them their cert is revoked? If I don't down it, can the servers just request another cert from the same server I'm trying to decommission?

0 Votes 0 ·