I have a W2k3 Server with multiple roles installed, I would like to split this into multiple virtual machines. It is currently a production domain controller, a file and print server, DNS/WINS, has active directory and is a cert authority. I would like to remove AD DS, DNS, and the cert authority, to do that I have to start at the bottom with transfering the CA. To do that however I have to install it on a VM with the same name as the source server, and remove the source server from the domain. As this server hosts our redirected folders and handles all the printing what would be the best path for me to take?

Depending on how large and complex your organization is, you may consider building a new Enterprise CA on a new server and decommissioning the old CA at some point in the future. To do so, you would build a new Enterprise CA on a new server, stop your existing CA from issuing new certificates, and re-issue all certificates from the new CA. If this procedure is too difficult or you have too many issued certificates to do this efficiently, then I would recommend moving the CA last (or not at all). Transferring Active Directory and DNS is the least painful step - build a new Domain Controller with DNS installed, change all your clients to use it for DNS, then remove the existing server as a Domain Controller (it will become a member server in the domain). I personally would then transfer file & print services to a new server, leaving the CA to tackle last - unless you are in a small environment then I would do it second in the order.

Hello, first i like to mention that even NOT Microsoft recommends a CA on a DC. In your case first install an additional DC/DNS/GC to the domain and transfer FSMO roles to it after replication has occured complete. Then use a domain member server that can be used as new CA http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx http://support.microsoft.com/kb/298138 File/Print can be on third domain member server. And a fourth one is recommended as second DC/DNS/GC, if possible on a different machine so not 2 DCs run on the same host or you'll keep the old machine as DC/DNS/GC. So in your case at least Windows Server 2008 R2 Enterprise editon is an option as this allows up to 4 VMs on a host running ONLY the Hyper-V role or other Microsoft approved hypervisor software. Windows server 2012 Standard allows up to 2 VMs and Datacenter edition unlimited VMs.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Depending on how large and complex your organization is, you may consider building a new Enterprise CA on a new server and decommissioning the old CA at some point in the future. To do so, you would build a new Enterprise CA on a new server, stop your existing CA from issuing new certificates, and re-issue all certificates from the new CA. If this procedure is too difficult or you have too many issued certificates to do this efficiently, then I would recommend moving the CA last (or not at all). Transferring Active Directory and DNS is the least painful step - build a new Domain Controller with DNS installed, change all your clients to use it for DNS, then remove the existing server as a Domain Controller (it will become a member server in the domain). I personally would then transfer file & print services to a new server, leaving the CA to tackle last - unless you are in a small environment then I would do it second in the order. It's my understanding that to remove AD from the server I must first remove CS. At least that's what it tells me when I run DCpromo, I could forcefully remove AD from it though couldn't I?

Hello, first i like to mention that even NOT Microsoft recommends a CA on a DC. In your case first install an additional DC/DNS/GC to the domain and transfer FSMO roles to it after replication has occured complete. Then use a domain member server that can be used as new CA http://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx http://support.microsoft.com/kb/298138 File/Print can be on third domain member server. And a fourth one is recommended as second DC/DNS/GC, if possible on a different machine so not 2 DCs run on the same host or you'll keep the old machine as DC/DNS/GC. So in your case at least Windows Server 2008 R2 Enterprise editon is an option as this allows up to 4 VMs on a host running ONLY the Hyper-V role or other Microsoft approved hypervisor software. Windows server 2012 Standard allows up to 2 VMs and Datacenter edition unlimited VMs. Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. This is what my current plan looks like, thanks for confirming it for me. I currently have another DC, it has all the FSMO roles, my biggest concern was what I might break by removing the CA from the source server.

It's my understanding that to remove AD from the server I must first remove CS. At least that's what it tells me when I run DCpromo, I could forcefully remove AD from it though couldn't I? Actually you are correct - you must remove the Certificate Authority before demoting the Domain Controller. I personally run my CAs on standalone member servers so I haven't encountered this issue in some time. So, I concur with Meinolf's suggested migration path.