Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Once a server becomes a DC it can no longer become a certificate server.
BUT... a DC can be a certificate server if before being promoted it was a
certificate server.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:%23whL91WeFHA.616@TK2MSFTNGP12.phx.gbl...
> Good morning, Paul!
>
> Thank you for pointing these two things out. It is always a good thing to
> have multiple heads involved in finding a solution.
>
> As I mentioned, the dcpromo process will indeed handle the transferring of
> any FSMO roles that the 'being demoted' Domain Controller holds to another
> Domain Controller. I just like to handle that myself so that the DC that
> I choose is the new role holder. It is a good thing to make this point
> very clear!!!!
>
> As to a Domain Controller not being able to a Certificate Server - I will
> have to check into this. I will admit that I have never set this up in a
> production environment ( never any desire for it on the clients
> part....and the key word was 'production' - I have played with it in the
> lab.... ). I, however, would venture to guess that you could make a
> Domain Controller a Certificate Server. I will have to look into this.
> Are you saying that you can not do ( as in, physically not possible ) or
> are you saying that it is not the best of ideas? I would agree with that
> part!
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
>
http://www.activedirectory-win2000.com
>
http://www.grouppolicy-win2000.com
>
>
>
> "Paul Bergson" <pbergson@allete_nospam.com> wrote in message
> news:uIhdOuLeFHA.2556@TK2MSFTNGP10.phx.gbl...
>> Just a note on this. I'm sure you are aware that the dc willl gracefully
>> transfer the roles (Except the gc) when demoted to other servers. As far
>> as the certificate services goes once a machine is a dc you can't make it
>> a certificate server so odds are it isn't a certificate authority of any
>> type.
>>
>> --
>>
>>
>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> news:ex%23Q7zBeFHA.412@tk2msftngp13.phx.gbl...
>>> Hutch,
>>>
>>> Just make sure that any services that this DC is holding ( read: DNS,
>>> DHCP, Global Catalog, etc ) are transferred to any of the remaining
>>> Domain Controllers. In the case of the Global Catalog Server I would
>>> suggest that you make all of your Domain Controllers a Global Catalog
>>> Server ( done via the Active Directory Sites and Services MMC - go to
>>> the NTDS Settings under each Domain Controller ). This assumes that you
>>> have only one Domain.
>>>
>>> Another point to consider is to manually transfer any of the five FSMO
>>> roles that this DC might be holding. Since it is the first DC it very
>>> possibly holds all five of them. The dcpromo process will take care of
>>> this for you but I like to be in charge and manually do it. There are
>>> two ways to do this: use ntdsutil ( probably not the best way for
>>> someone with your experience ) or via the GUIs. Please see the two
>>> links below:
>>>
>>>
http://support.microsoft.com/?id=255504
>>>
http://support.microsoft.com/?id=255690
>>>
>>> Should you decide to venture out and use ntdsutil ( a wonderful little
>>> utility ) I would stress to you that you really should *TRANSFER* and
>>> not seize. Granted, if you are going to be removing the old DC then
>>> that should not matter but it is best to do things the correct way.....
>>>
>>> --
>>> Cary W. Shultz
>>> Roanoke, VA 24012
>>> Microsoft Active Directory MVP
>>>
>>>
http://www.activedirectory-win2000.com
>>>
http://www.grouppolicy-win2000.com
>>>
>>>
>>>
>>> "Hutch" <Hutch@discussions.microsoft.com> wrote in message
>>> news:5E943464-C0AB-43A9-A203-071109D7E563@microsoft.com...
>>>> what is this recovery agent private key?
>>>>
>>>> And is there anything special I need to do since this was the first DC
>>>> in
>>>> our win 2000 AD?
>>>>
>>>> Thanks,
>>>>
>>>> "Andrei Ungureanu" wrote:
>>>>
>>>>> and as always, I add "export the recovery agent private key"
>>>>>
>>>>>
>>>>> --
>>>>> Andrei Ungureanu
>>>>> www.eventid.net
>>>>> Free Windows event logs reports
>>>>> http://www.altairtech.ca/evlog/
>>>>>
>>>>> "Paul Bergson" <pbergson@allete_nospam.com> wrote in message
>>>>> news:%23vO6GZ$dFHA.1404@TK2MSFTNGP09.phx.gbl...
>>>>> > dcpromo, just like when you added it to the domain.
>>>>> >
>>>>> > --
>>>>> >
>>>>> >
>>>>> > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>>>> >
>>>>> > This posting is provided "AS IS" with no warranties, and confers no
>>>>> > rights.
>>>>> >
>>>>> >
>>>>> > "Hutch" <Hutch@discussions.microsoft.com> wrote in message
>>>>> > news:946E7059-C1F4-4DE5-82C1-DC748A12D515@microsoft.com...
>>>>> >> AD - Windows 2000 native
>>>>> >>
>>>>> >> We have 4 domain Controllers.
>>>>> >>
>>>>> >> Whats the proper way \ proper steps to remove one of them.
>>>>> >> This was our first win2000DC and is a rather old and slow PC.
>>>>> >>
>>>>> >> I do not want to screw anything up during this process.
>>>>> >>
>>>>> >> Thanks,
>>>>> >
>>>>> >
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>