Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

HOWTO: Move a certificate authority to a new server running on a domain controller.


Author: Francis Ouellet MVP

View products that this article applies to.

Summary

This document explains in details the steps required to replace an old Domain Controller in the case where there is no direct hardware upgrade path.

↑ Back to the top


Abstract

This whitepaper assumes the reader is knowledgeable with Windows Server 2003 Active Directory services, certificate services�and backing up registry keys.

domain.com is the FQDN of your Active Directory infrastructure.�
SERVER-01 is the name of the old server being demoted.�
SERVER-02 is the new server being brought in.
CA_NAME is the name of your Certificate Authority.

↑ Back to the top


Step one: prepare the forest.

Raise the Active Directory functional level to Windows Server 2003. Read KB 322692 for more info.
Backup Certificate Authority using the MMC.
Backup the following registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA_NAME].
Delete the CA cryptographic keys (See KB article 298138)

↑ Back to the top


Step two: remove the certificate server.

Type the following command in a command box.
Type �certutil �shutdown� to stop Certificate Services.
Type �certutil �key� to list the cryptographic keys installed on the server.
Type �certutil �delkey CA_NAME� to delete the key.����
The certicate service can safely be removed.

↑ Back to the top


Step three: remove the old domain controller from the domain.

In order to have at least one Global Catalog in your domain make sure that the server being removed isn�t the only one owing this role.
Run dcpromo.exe on SERVER-01 and remove this DC from AD.
Remove the old computer account from AD.
Once you�ve restarted; rename the member server.
Look at the DNS to see if all records pointing to the old DC have been removed. �_tcp.dc._msdcs.domain.com.�comes to mind.
Promote SERVER-02 as a DC by running dcpromo.exe

↑ Back to the top


Step four: rename the computer account.

After installing the Windows Server 2003 Support Tools on SERVER-02 type in this command to add a new alternate name (the name must be a FQDN followed by a primary DNS suffix.)
C:\Program Files\Support Tools>�netdom computername SERVER-02 /add:SERVER-01.domain.com
Once the command has completed make the server primary using this command:
C:\Program Files\Support Tools>�netdom computername SERVER-02 /makeprimary:SERVER-01.domain.com
I ran into this error:

Unable to make SERVER-01.domain.com the primary name for the computer.
The error is:
The account already exists.

Active Directory already contains a Computer Account or a Server Object with the specified name: SERVER-01.

If these objects are associated with an existing computer in the domain then this name cannot be made primary.

If these objects are not associated with an existing computer, it may have been improperly renamed or removed from the domain. Remove them from Active
Directory and retry the make primary operation.

The following tools can be used to locate and remove these objects:
For Computer Account - Active Directory Users and Computers.
For Server Object - Active Directory Sites and Services.

The command failed to complete successfully.

I Removed the server account from Sites and Services and it seems to have solved the problem.
Reboot the server
Remove the old server name using this command:
C:\Program Files\Support Tools>�netdom computername SERVER-01 /remove:SERVER-02.domain.com
Make sure you don�t have any �leftover� computer names by typing this:
C:\Program Files\Support Tools>netdom computername SERVER-01 /enumerate
Install the certificate service as explained in KB article 298138.
Restore the certificate server from the backup taken in step two.
Import the old registry key.
If you wish to move the certificate data to another folder you may do so by following the instruction in this KB article (283193)

↑ Back to the top


About the author.

The author is a Windows system administrator located in Montreal, Quebec; He can be reached at francis@francisouellet.ca

↑ Back to the top


Properties

COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

↑ Back to the top


Community solutions content disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.

↑ Back to the top


Keywords: KB555012, kbhowto, kbpubtypewp, kbpubtypecca, kbpubmvp

↑ Back to the top

Article Info
Article ID : 555012
Revision : 1
Created on : 11/25/2005
Published on : 11/25/2005
Exists online : False
Views : 391