dcpromo /forceremoval of a DC with Certificate Services installed
I am in a situation where I have a corrupt ntds database on a domain controller that also is hosting an Enterprise CA role. I can boot the DC into DSRM and certificate services startup and the enterprise PKI is show a status of OK. I can browse to the web
enrolment page, request and receive a certificate. This is not the only DC for the domain and it does not hold any roles for the domain/forest either. Is there any reason why I could not run a dcpromo / forceremoval to rip ADDS out and leave the CA services
installed?
Thanks.
Chris
August 31st, 2011 9:27am
Hello,
it is not recommended to run a CA on a DC for security reasons.
If you added a CA on a DC then you can not demote it. For that, you have to backup the CA, uninstall it, force demotion of the DC and then restoring the CA.
Details here: http://social.technet.microsoft.com/Forums/en/winserversetup/thread/d922860b-c8cd-4ed5-9b0b-05391c18afc0
Before forcing the demotion of the DC make sure that there is at least one GC that is left.
Once you forced demotion of the DC, you have to perform a metadata cleanup and resize FSMO roles if the demoted DC was a FSMO holder.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 3:57pm