ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Migrate and/or replace old cert server?

    Scheduled Pinned Locked Moved IT Discussion
    121 Posts 13 Posters 19.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Shuey
      last edited by

      Something I've not been able to verify: Is it safe to demote the DC before backing up and/or migrating the cert services? If so, I'm going to demote it and do the V2V. This will still give me time to chip away at the cert side of this project while also being able to re-purpose the old hardware.

      S 1 Reply Last reply Reply Quote 0
      • S
        Shuey @Shuey
        last edited by

        @Shuey said in Migrate and/or replace old cert server?:

        Something I've not been able to verify: Is it safe to demote the DC before backing up and/or migrating the cert services? If so, I'm going to demote it and do the V2V. This will still give me time to chip away at the cert side of this project while also being able to re-purpose the old hardware.

        Looks like I found my answer to this portion:
        https://social.technet.microsoft.com/Forums/windowsserver/en-US/d922860b-c8cd-4ed5-9b0b-05391c18afc0/demoting-a-domain-controller-with-a-ca-on-it?forum=winserversetup

        1 Reply Last reply Reply Quote 2
        • S
          Shuey
          last edited by

          I've had certificate services stopped and disabled for the last two weeks (in case anyone rebooted the server). I've not seen or heard of any issues, so I wanted to ask again: Do you think it's safe enough now for me to remove the cert services role from the server? Is there anything I might still be missing or haven't thought of?

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @Shuey
            last edited by

            @Shuey said in Migrate and/or replace old cert server?:

            I've had certificate services stopped and disabled for the last two weeks (in case anyone rebooted the server). I've not seen or heard of any issues, so I wanted to ask again: Do you think it's safe enough now for me to remove the cert services role from the server? Is there anything I might still be missing or haven't thought of?

            It is completely safe if you are sure that no other applications are requiring local certs any longer.

            Just make a stand alone backup of the CA, just in case.
            https://technet.microsoft.com/en-us/library/cc725565(v=ws.11).aspx

            S 1 Reply Last reply Reply Quote 4
            • S
              Shuey @JaredBusch
              last edited by

              @JaredBusch Thanks for the reply and info Jared!

              1 Reply Last reply Reply Quote 0
              • S
                Shuey
                last edited by

                Good times... I first followed Microsoft's instructions to revoke any existing certs with a "cease of operation", and then removed the role. Before the reboot, I was prompted with this error:

                0_1478613151101_epic-fail-01.png

                I included in the screenshot the command that I ran, which also gave an error...

                I'm going to reboot the server, but I'm not feeling great about this so far, lol.

                1 Reply Last reply Reply Quote 0
                • DustinB3403D
                  DustinB3403 @Shuey
                  last edited by

                  @Shuey said in Migrate and/or replace old cert server?:

                  @Mike-Davis said in Migrate and/or replace old cert server?:

                  If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

                  If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

                  Well it's often (and IMPE) way more painful, especially if you do stupid things such as power the DC back on while you are trying to import it to your new hypervisor.

                  It can work so long as you have other DC's that can handle the functions. Just disable the AD services on the DC first, and then V2V (or export) and go from there.

                  1 Reply Last reply Reply Quote 1
                  • S
                    Shuey
                    last edited by

                    So I wasn't able to delete the enrollmentServerURL. I decided to go ahead and move forward with the demotion, but I'm stuck there as well. Every time I try to complete the process, it fails with this:
                    0_1478626014642_epic-fail-02.png

                    I verified in ADUC and ADSS that NONE of my servers have the "protect this object from accidental deletion" checked, and I've tried rebooting the server again, but the process continues to fail. I've tried it with and without the "Remove DNS Delegation" option, but it continues to fail...

                    Am I going to have to do a forced demotion?....

                    1 Reply Last reply Reply Quote 0
                    • momurdaM
                      momurda
                      last edited by

                      Your domain admin credentials might not have full permissions to do that operation, depending on configuration. How long has the domain existed?

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        Shuey @momurda
                        last edited by

                        @momurda said in Migrate and/or replace old cert server?:

                        Your domain admin credentials might not have full permissions to do that operation, depending on configuration. How long has the domain existed?

                        The domain has existed since before I started working here over 4 years ago. It's also changed a lot though in the time I've been here. "ADMIN-SERVER" is the ONLY domain controller from the original domain that was built before I started here.

                        1 Reply Last reply Reply Quote 0
                        • momurdaM
                          momurda
                          last edited by

                          You might want to check your domain admin user rights on some ad containers and see if you have the power.
                          I think user needs Trusted for Delegation right on that user.

                          Also, on that failed ca removal, i dont think you need quotes around the url, as it is a url and no spaces are allowed.

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            Shuey @momurda
                            last edited by

                            @momurda said in Migrate and/or replace old cert server?:

                            You might want to check your domain admin user rights on some ad containers and see if you have the power.
                            I think user needs Trusted for Delegation right on that user.

                            Also, on that failed ca removal, i dont think you need quotes around the url, as it is a url and no spaces are allowed.

                            I tried the URL with and without quotes; same failure message both times 😞

                            The account I'm currently using to attempt the demotion is the same account I've used everywhere in the domain. In the 4+ years I've been here, I've built 5 other domain controllers, I've demoted domain controllers, I've transferred FSMO roles - I've never had permissions issues with any of those tasks with this same account I'm using now 😕

                            1 Reply Last reply Reply Quote 0
                            • momurdaM
                              momurda
                              last edited by

                              Is the CA service running when you run that CA url removal command? you might need to fix the CA removal problem before you can demote.

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                Shuey @momurda
                                last edited by

                                @momurda said in Migrate and/or replace old cert server?:

                                Is the CA service running when you run that CA url removal command? you might need to fix the CA removal problem before you can demote.

                                The CA service was running when I ran through the removal of cert services, but at the very end of the removal process, it threw that error. Since cert services have now been removed, the service no longer exists :-S...

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Shuey
                                  last edited by

                                  What the junk O_o!?.... this guy said in this post that I "need to move Sharepoint to another server first. The problem is that SQL Server, when installed on a DC, then uses that DC and that DC only for authentication purposes."

                                  If that's true, I wish I had known that from the beginning, lol.

                                  1 Reply Last reply Reply Quote 0
                                  • IRJI
                                    IRJ
                                    last edited by

                                    I figured somebody would have yelled at you for running anything else on a DC already in 6 pages of replies.

                                    I would build a new 2012 R2 DC, then transfer all roles then demote your old DC. I would just keep sharepoint on the old DC and call it a day.

                                    S 1 Reply Last reply Reply Quote 0
                                    • S
                                      Shuey @IRJ
                                      last edited by

                                      @IRJ said in Migrate and/or replace old cert server?:

                                      I figured somebody would have yelled at you for running anything else on a DC already in 6 pages of replies.

                                      I would build a new 2012 R2 DC, then transfer all roles then demote your old DC. I would just keep sharepoint on the old DC and call it a day.

                                      We already have 5 other DC's. This last DC that I wanted to demote and remove cert services from is the last DC left in the original forest/domain that the admin before me built. I'm pretty much going to have to spend the next several weeks learning how to setup Sharepoint and migrate our existing server/data to a new member server. And trust me, I know it's stupid to run all that stuff on a DC, but I didn't set it up :-S

                                      IRJI 1 Reply Last reply Reply Quote 0
                                      • IRJI
                                        IRJ @Shuey
                                        last edited by

                                        @Shuey said in Migrate and/or replace old cert server?:

                                        @IRJ said in Migrate and/or replace old cert server?:

                                        I figured somebody would have yelled at you for running anything else on a DC already in 6 pages of replies.

                                        I would build a new 2012 R2 DC, then transfer all roles then demote your old DC. I would just keep sharepoint on the old DC and call it a day.

                                        We already have 5 other DC's. This last DC that I wanted to demote and remove cert services from is the last DC left in the original forest/domain that the admin before me built. I'm pretty much going to have to spend the next several weeks learning how to setup Sharepoint and migrate our existing server/data to a new member server. And trust me, I know it's stupid to run all that stuff on a DC, but I didn't set it up :-S

                                        Sorry, I didn't read everything 😞

                                        1 Reply Last reply Reply Quote 0
                                        • 1
                                        • 2
                                        • 3
                                        • 4
                                        • 5
                                        • 6
                                        • 7
                                        • 4 / 7
                                        • First post
                                          Last post