I am in a situation where I have a corrupt ntds database on a domain controller that also is hosting an Enterprise CA role. I can boot the DC into DSRM and certificate services startup and the enterprise PKI is show a status of OK. I can browse to the web enrolment page, request and receive a certificate. This is not the only DC for the domain and it does not hold any roles for the domain/forest either. Is there any reason why I could not run a dcpromo / forceremoval to rip ADDS out and leave the CA services installed? Thanks. Chris

Hello, it is not recommended to run a CA on a DC for security reasons. If you added a CA on a DC then you can not demote it. For that, you have to backup the CA, uninstall it, force demotion of the DC and then restoring the CA. Details here: http://social.technet.microsoft.com/Forums/en/winserversetup/thread/d922860b-c8cd-4ed5-9b0b-05391c18afc0 Before forcing the demotion of the DC make sure that there is at least one GC that is left. Once you forced demotion of the DC, you have to perform a metadata cleanup and resize FSMO roles if the demoted DC was a FSMO holder. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator