A little error thats causing me a nightmare. I currently admin a domain with 2 domain controllers. Once of the domain controllers was also the exchange server (Wasn't me who installed this and I know it shouldn't be setup like this). Anyway I have migrated the exchange to a new server with exchange 2010 (old one was exchange 2003) and windows 2008 r2. I then removed Exchange 2003 entirely from the domain contoller. I have now created a new domain controller so I have 3 domain controllers. I'm now ready to remove the old exchange server from being a domain controller. My problem however is when the old exchange box (DC) went wrong we found our whole network grinded to a halt with authenication problem i.e. service account couldn't login so sql server went wrong. So i'm nervous to remove it incase the problems still exist. I looked on the server and the only other thing on the server is certification services which I admit to knowing nothing about. I have spent the last few days reading but am left slightly confused. My question is would certification services cause these type of issues (in domain policy the domain controllers are set to autoenroll) and would removing certifications services correct my issues. My other problem is that i have through kb889250 on removing certification services and when it says to run certutil -key I get a totally different output to the sample in the kb. Mine is more like Microsoft Strong Cryptographic Provider: MSMW AT_SIGNATURE, AT_KEYEXCHANGE 5e72460c-ee10-4a43-8683-4438dad355ea AT_KEYEXCHANGE This continues allong the same sort of detail but looks totally different to what is listed in the kb. Thank you in advance for any one who can help me, Daniel Sutton Network Administrator

Hello, let's start with the DC problems, make sure the DCs you like to keep are also Global catalog server and DNS server and that all machines are configured to use them on the NIC. Please post an unedited ipconfig /all from the 3 DCs and a problem client(if DCExchange is down). Make sure the Global catalog servers are listed in the Exchange MMC, so the Exchange server has recognized them both. You can check this under "Use the EMC to change the recipient scope" in: http://technet.microsoft.com/en-us/library/bb124527.aspx So you had a CA installed in the domain where the CA is not longer accessible and you can't uninstall it correct?Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.