HOWTO: Move a certificate authority to a new server running on a domain controller.

Article translations Article translations
Article ID: 555012 - View products that this article applies to.
Author: Francis Ouellet MVP
Expand all | Collapse all

SUMMARY

This document explains in details the steps required to replace an old Domain Controller in the case where there is no direct hardware upgrade path.

Abstract

This whitepaper assumes the reader is knowledgeable with Windows Server 2003 Active Directory services, certificate services and backing up registry keys.
 
domain.com is the FQDN of your Active Directory infrastructure. 
SERVER-01 is the name of the old server being demoted. 
SERVER-02 is the new server being brought in.
CA_NAME is the name of your Certificate Authority.

Step One: Prepare the forest.

Raise the Active Directory functional level to Windows Server 2003. Read KB 322692 for more info.
Backup Certificate Authority using the MMC.
Backup the following registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA_NAME].
Delete the CA cryptographic keys (See KB article 298138)
 

Step Two: Remove the certificate server.

Type the following command in a command box.
Type “certutil –shutdown” to stop Certificate Services.
Type “certutil –key” to list the cryptographic keys installed on the server.
Type “certutil –delkey CA_NAME” to delete the key.    
The certicate service can safely be removed.

Step Three: Remove the old Domain Controller from the domain.

In order to have at least one Global Catalog in your domain make sure that the server being removed isn’t the only one owing this role.
Run dcpromo.exe on SERVER-01 and remove this DC from AD.
Remove the old computer account from AD.
Once you’ve restarted; rename the member server.
Look at the DNS to see if all records pointing to the old DC have been removed. “_tcp.dc._msdcs.domain.com.”comes to mind.
Promote SERVER-02 as a DC by running dcpromo.exe

Step Four: Rename the computer account.

After installing the Windows Server 2003 Support Tools on SERVER-02 type in this command to add a new alternate name (the name must be a FQDN followed by a primary DNS suffix.)
C:\Program Files\Support Tools>”netdom computername SERVER-02 /add:SERVER-01.domain.com
Once the command has completed make the server primary using this command:
C:\Program Files\Support Tools>”netdom computername SERVER-02 /makeprimary:SERVER-01.domain.com
I ran into this error:
 
Unable to make SERVER-01.domain.com the primary name for the computer.
The error is:
The account already exists.
 
Active Directory already contains a Computer Account or a Server Object with the specified name: SERVER-01.
 
If these objects are associated with an existing computer in the domain then this name cannot be made primary.
 
If these objects are not associated with an existing computer, it may have been improperly renamed or removed from the domain. Remove them from Active
Directory and retry the make primary operation.
 
The following tools can be used to locate and remove these objects:
For Computer Account - Active Directory Users and Computers.
For Server Object - Active Directory Sites and Services.
 
The command failed to complete successfully.
 
I Removed the server account from Sites and Services and it seems to have solved the problem.
Reboot the server
Remove the old server name using this command:
C:\Program Files\Support Tools>“netdom computername SERVER-01 /remove:SERVER-02.domain.com
Make sure you don’t have any “leftover” computer names by typing this:
C:\Program Files\Support Tools>netdom computername SERVER-01 /enumerate
Install the certificate service as explained in KB article 298138.
Restore the certificate server from the backup taken in step two.
Import the old registry key.
If you wish to move the certificate data to another folder you may do so by following the instruction in this KB article (283193)

About the author.

The author is a Windows system administrator located in Montreal, Quebec; He can be reached at francis@francisouellet.ca

Properties

Article ID: 555012 - Last Review: November 25, 2005 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com