domain.com is the FQDN of your Active Directory infrastructure.
SERVER-01 is the name of the old server being demoted.
SERVER-02 is the new server being brought in.
CA_NAME is the name of your Certificate Authority.
Backup Certificate Authority using the MMC.
Backup the following registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA_NAME].
Delete the CA cryptographic keys (See KB article )
Type “certutil –shutdown” to stop Certificate Services.
Type “certutil –key” to list the cryptographic keys installed on the server.
Type “certutil –delkey CA_NAME” to delete the key.
The certicate service can safely be removed.
Run dcpromo.exe on SERVER-01 and remove this DC from AD.
Remove the old computer account from AD.
Once you’ve restarted; rename the member server.
Look at the DNS to see if all records pointing to the old DC have been removed. “_tcp.dc._msdcs.domain.com.”comes to mind.
Promote SERVER-02 as a DC by running dcpromo.exe
C:\Program Files\Support Tools>”netdom computername SERVER-02 /add:SERVER-01.domain.com”
Once the command has completed make the server primary using this command:
C:\Program Files\Support Tools>”netdom computername SERVER-02 /makeprimary:SERVER-01.domain.com”
I ran into this error:
Unable to make SERVER-01.domain.com the primary name for the computer.
The error is:
The account already exists.
Active Directory already contains a Computer Account or a Server Object with the specified name: SERVER-01.
If these objects are associated with an existing computer in the domain then this name cannot be made primary.
If these objects are not associated with an existing computer, it may have been improperly renamed or removed from the domain. Remove them from Active
Directory and retry the make primary operation.
The following tools can be used to locate and remove these objects:
For Computer Account - Active Directory Users and Computers.
For Server Object - Active Directory Sites and Services.
The command failed to complete successfully.
I Removed the server account from Sites and Services and it seems to have solved the problem.
Reboot the server
Remove the old server name using this command:
C:\Program Files\Support Tools>“netdom computername SERVER-01 /remove:SERVER-02.domain.com”
Make sure you don’t have any “leftover” computer names by typing this:
C:\Program Files\Support Tools>“netdom computername SERVER-01 /enumerate”
Install the certificate service as explained in KB article .
Restore the certificate server from the backup taken in step two.
Import the old registry key.
If you wish to move the certificate data to another folder you may do so by following the instruction in this KB article ()
Article ID: 555012 - Last Review: Feb 14, 2017 - Revision: 1