Hello; I'm moving a network from 2003 to 2012.  I have a 2003 AD (the only domain controller) WITH MICROSFT EXCHANGE and WEB SITES running on it.  I've setup a 2012 r2 domain controller, added it to the domain, moved all the rolls (according to netdom query fsmo results).

Now, I'm trying to demote the 2003 domain controller (but, it must remain running until I can get the web sites and exchange moved off first) down to a member server.  So I run DCPROMO, and I get the "you can't do that until you remove Certification Authourity" error.

So I'm at this point, and I have some questions:

If I leave this as is, with the CA services running on the 2003 server (which is still a domain controller), but the rolls all running on the 2012 server, will it operate until I can get the exchange & web sites off?

also, if i move the CA to the new 2012 domain controller, but that controller does not have any external access (The exchange and web sites are being moved to a third machine, and the DC won't do our external DNS), will that affect authentication for mobile devices to the exchange server, if that server can still talk (internally) to the new CA?

Finally, since both servers HAVE TO BE RUNNING at the same time, do I migrate the CA from the old server to the new server, or do a backup of the old server, or do I just remove the CA from the old server & setup a new CA on the new server? and how does that affect the web sites & exchange?

Thanks

• Edited by Scott Renton 10 hours 55 minutes ago