Summary
This document explains in details the steps required to replace a Certificate Authority running on a Domain Controller in the case where there is no direct hardware upgrade path.
Applies To
This article applies to:
Windows 2003 Standard
Windows 2003 Enterprise
Windows 2008 Standard
Windows 2008 Enterprise
The original article was posted by myself as part of the Microsoft Community Solution under KB555012 while I was a Microsoft MVP.
Abstract
This article assumes the reader is knowledgeable with Windows Server 2003/2008, Active Directory services, certificate services and backing up registry keys.
domain.com is the FQDN of your Active Directory infrastructure.
SERVER-01 is the name of the old server being demoted.
SERVER-02 is the new server being brought in.
CA_NAME is the name of your Certificate Authority.
First Step: Raise the Forest Functional Level (FFL)
Raise the Active Directory functional level to at least Windows Server 2003. This is a required in order to rename a DC. Read KB322692 for more info.
Backup Certificate Authority using the MMC.
Backup the following registry key: “HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA_NAME]”
Delete the CA cryptographic keys (See KB article 298138)
Step Two: Remove the CA
Type the following command in a command box.
Type “certutil –shutdown” to stop Certificate Services.
Type “certutil –key” to list the cryptographic keys installed on the server.
Type “certutil –delkey CA_NAME” to delete the key.
The certicate service can safely be removed.
Stop Three: Remove the old domain controller (DC) from the domain.
Make sure any relevant roles (FSMO, or GC) have been moved to another host before removing the DC from the domain.
Run dcpromo.exe on SERVER-01 and remove this DC from AD.
Remove the old computer account from AD.
Once you’ve restarted; rename the server (now a member server).
Look at the DNS to see if all records pointing to the old DC have been removed (“_tcp.dc._msdcs.domain.com.” comes to mind)
Promote SERVER-02 as a DC by running dcpromo.exe
Step Four: Rename the DC’s computer account.
After installing the Windows Server 2003 Support Tools on SERVER-02 type in this command to add a new alternate name (the name must be a FQDN followed by a primary DNS suffix.)
C:\Program Files\Support Tools>”netdom computername SERVER-02 /add:SERVER-01.domain.com”
Once the command has completed make the server primary using this command:
C:\Program Files\Support Tools>”netdom computername SERVER-02 /makeprimary:SERVER-01.domain.com”
I ran into this error:
Unable to make SERVER-01.domain.com the primary name for the computer.
The error is: “The account already exists.”
Active Directory already contains a Computer Account or a Server Object with the specified name: SERVER-01.
If these objects are associated with an existing computer in the domain then this name cannot be made primary.
If these objects are not associated with an existing computer, it may have been improperly renamed or removed from the domain.
Remove them from Active
Directory and retry the make primary operation.
The following tools can be used to locate and remove these objects:
For Computer Account – Active Directory Users and Computers.
For Server Object – Active Directory Sites and Services.
The command failed to complete successfully.
I Removed the server account from Sites and Services and it seems to have solved the problem.
Reboot the server
Remove the old server name using this command:
C:\Program Files\Support Tools>“netdom computername SERVER-01 /remove:SERVER-02.domain.com”
Make sure you don’t have any “leftover” computer names by typing this:
C:\Program Files\Support Tools>“netdom computername SERVER-01 /enumerate”
Install the certificate service as explained in KB article 298138.
Restore the certificate server from the backup taken in step two.
Import the old registry key.
If you wish to move the certificate data to another folder you may do so by following the instruction in this KB article.
