Migrate and/or replace old cert server?
-
So I wasn't able to delete the enrollmentServerURL. I decided to go ahead and move forward with the demotion, but I'm stuck there as well. Every time I try to complete the process, it fails with this:
I verified in ADUC and ADSS that NONE of my servers have the "protect this object from accidental deletion" checked, and I've tried rebooting the server again, but the process continues to fail. I've tried it with and without the "Remove DNS Delegation" option, but it continues to fail...
Am I going to have to do a forced demotion?....
-
Your domain admin credentials might not have full permissions to do that operation, depending on configuration. How long has the domain existed?
-
@momurda said in Migrate and/or replace old cert server?:
Your domain admin credentials might not have full permissions to do that operation, depending on configuration. How long has the domain existed?
The domain has existed since before I started working here over 4 years ago. It's also changed a lot though in the time I've been here. "ADMIN-SERVER" is the ONLY domain controller from the original domain that was built before I started here.
-
You might want to check your domain admin user rights on some ad containers and see if you have the power.
I think user needs Trusted for Delegation right on that user.Also, on that failed ca removal, i dont think you need quotes around the url, as it is a url and no spaces are allowed.
-
@momurda said in Migrate and/or replace old cert server?:
You might want to check your domain admin user rights on some ad containers and see if you have the power.
I think user needs Trusted for Delegation right on that user.Also, on that failed ca removal, i dont think you need quotes around the url, as it is a url and no spaces are allowed.
I tried the URL with and without quotes; same failure message both times
The account I'm currently using to attempt the demotion is the same account I've used everywhere in the domain. In the 4+ years I've been here, I've built 5 other domain controllers, I've demoted domain controllers, I've transferred FSMO roles - I've never had permissions issues with any of those tasks with this same account I'm using now
-
Is the CA service running when you run that CA url removal command? you might need to fix the CA removal problem before you can demote.
-
@momurda said in Migrate and/or replace old cert server?:
Is the CA service running when you run that CA url removal command? you might need to fix the CA removal problem before you can demote.
The CA service was running when I ran through the removal of cert services, but at the very end of the removal process, it threw that error. Since cert services have now been removed, the service no longer exists :-S...
-
-
I figured somebody would have yelled at you for running anything else on a DC already in 6 pages of replies.
I would build a new 2012 R2 DC, then transfer all roles then demote your old DC. I would just keep sharepoint on the old DC and call it a day.
-
@IRJ said in Migrate and/or replace old cert server?:
I figured somebody would have yelled at you for running anything else on a DC already in 6 pages of replies.
I would build a new 2012 R2 DC, then transfer all roles then demote your old DC. I would just keep sharepoint on the old DC and call it a day.
We already have 5 other DC's. This last DC that I wanted to demote and remove cert services from is the last DC left in the original forest/domain that the admin before me built. I'm pretty much going to have to spend the next several weeks learning how to setup Sharepoint and migrate our existing server/data to a new member server. And trust me, I know it's stupid to run all that stuff on a DC, but I didn't set it up :-S
-
@Shuey said in Migrate and/or replace old cert server?:
@IRJ said in Migrate and/or replace old cert server?:
I figured somebody would have yelled at you for running anything else on a DC already in 6 pages of replies.
I would build a new 2012 R2 DC, then transfer all roles then demote your old DC. I would just keep sharepoint on the old DC and call it a day.
We already have 5 other DC's. This last DC that I wanted to demote and remove cert services from is the last DC left in the original forest/domain that the admin before me built. I'm pretty much going to have to spend the next several weeks learning how to setup Sharepoint and migrate our existing server/data to a new member server. And trust me, I know it's stupid to run all that stuff on a DC, but I didn't set it up :-S
Sorry, I didn't read everything