Demotion of DC with Certificate Services: Disaster Recovery Plan?

Following Option B (Keep the CA on the original host and move the domain
controller) of Technet article
http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
controller cannot be removed from a host on which the CA is installed. To
remove the domain controller, the CA must first be uninstalled from the
original host), and the DC can then be demoted, and the CA service
reinstalled.

(NB. The DC is not FSMO role master, and there are other DCs available in
the local site)
We plan to backup the system state, and also take a P2V of the DC
We plan to follow the article closely, however my concern is whether we will
be able to recover the server (as a DC) in the event that CA service does not
reinstall correctly.
I don’t believe it’s possible to simply restore a DC from a system state
backup as the DC will have already been removed from AD?
There are plenty of web articles explaining how to recover a failed DC – but
not one that has been demoted!
Is the correct procedure to ‘re-promote the DC (to repopulate as DC in AD),
and then perform a restore (i.e. from F8 – Directory Services Restore), or
will that not present the DC with a different GUID which would then pose
problems if a system restore is performed which would revert it to the
previous state)
Is it necessary to suspend replication from the server during the removal of
CA and demotion?
Bearing in mind that our objective is to demote the server, is it even
necessary to re-promote it? However the conundrum seems to lie in the fact
that if a restore is performed, it will re-mark it as a DC.
Very confusing! What is the correct procedure?

Can you think of any other measures that can be taken to ensure that we can
recover the DC with CA service restored to its previous state, or that could
protect the CA itself?

Hello jprstokato,

First, this kind of steps you should always test in a LAB envrionment before!!!

Are you using 2008 as mentioned in the article?

If the server is demoted and removed from AD database you have to reinstall
it. Do NOT connect the VM after demoting the server to the network.

If you need to restore the DC which is removed from AD database, you have
to restore also AD on the existing DC's to a previous state when the old
DC was not demoted. Personally i would prevent this.

If you follow the article you should be save.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Following Option B (Keep the CA on the original host and move the
> domain controller) of Technet article
> http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
> controller cannot be removed from a host on which the CA is installed.
> To remove the domain controller, the CA must first be uninstalled from
> the original host), and the DC can then be demoted, and the CA service
> reinstalled.
>
> (NB. The DC is not FSMO role master, and there are other DCs
> available in
> the local site)
> We plan to backup the system state, and also take a P2V of the DC
> We plan to follow the article closely, however my concern is whether
> we will
> be able to recover the server (as a DC) in the event that CA service
> does not
> reinstall correctly.
> I don't believe it's possible to simply restore a DC from a system
> state
> backup as the DC will have already been removed from AD?
> There are plenty of web articles explaining how to recover a failed DC
> - but
> not one that has been demoted!
> Is the correct procedure to 're-promote the DC (to repopulate as DC in
> AD),
> and then perform a restore (i.e. from F8 - Directory Services
> Restore), or
> will that not present the DC with a different GUID which would then
> pose
> problems if a system restore is performed which would revert it to the
> previous state)
> Is it necessary to suspend replication from the server during the
> removal of
> CA and demotion?
> Bearing in mind that our objective is to demote the server, is it even
> necessary to re-promote it? However the conundrum seems to lie in the
> fact
> that if a restore is performed, it will re-mark it as a DC.
> Very confusing! What is the correct procedure?
> Can you think of any other measures that can be taken to ensure that
> we can recover the DC with CA service restored to its previous state,
> or that could protect the CA itself?
>

First, this kind of steps you should always test in a LAB environment
before!!!
> The procedure has been tested in a virtual environment successfully, however this does not necessarily mean that it will behave the same ‘in production. (as we all know well! )


Are you using 2008 as mentioned in the article?
> in our case the CA / DC in Windows 2003, however the articles applies to migration on Server 2003 to 2008

If the server is demoted and removed from AD database you have to reinstall
it. Do NOT connect the VM after demoting the server to the network.
> Please not that the server itself is not being removed, only that the DC is being demoted

If you need to restore the DC which is removed from AD database, you have
to restore also AD on the existing DC's to a previous state when the old
DC was not demoted. Personally i would prevent this.
> Presumably you are referring to an authoritative restore. However is it necessary to restore as DC in this way? Would it not be cleaner and simpler to remove it from Active Directory with ntdsutil, wait for replication then re-promote the DC, and then perform a system restore?

Hello jprstokato,

Also inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> First, this kind of steps you should always test in a LAB environment
> before!!!
>
>> The procedure has been tested in a virtual environment successfully,
>> however this does not necessarily mean that it will behave the same
>> 'in production. (as we all know well! )
>>
> Are you using 2008 as mentioned in the article?
>
>> in our case the CA / DC in Windows 2003, however the articles applies
>> to migration on Server 2003 to 2008

Just to talk about the correct OS version, because you didn't mention it.

> If the server is demoted and removed from AD database you have to
> reinstall it. Do NOT connect the VM after demoting the server to the
> network.
>
>> Please not that the server itself is not being removed, only that the
>> DC is being demoted

That's correct, it will be moved to the computers container after demoting.

> If you need to restore the DC which is removed from AD database, you
> have to restore also AD on the existing DC's to a previous state when
> the old DC was not demoted. Personally i would prevent this.
>
>> Presumably you are referring to an authoritative restore. However is
>> it necessary to restore as DC in this way? Would it not be cleaner
>> and simpler to remove it from Active Directory with ntdsutil, wait
>> for replication then re-promote the DC, and then perform a system
>> restore?
>>

I understand your question the way, that you like to get back the DC with
CA installed in case something fails during demotion/CA moving etc., so that
you can go back to the state before starting the changes. So at that point
it was still a DC and the AD database also must include the inforamtion about.

I have had some concerns lately about DR and CA's which partially relate to
what you have brought up. Microsoft is evolving to 64 bit and my guess is
this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit system
and there is currently no way that I am aware of to do this. So mark that
down that the DR machine (bit size) has to EXACTLY match, as well as the
system32 path needs to be equivalent.

I think you can do a backup of your CA database, demote the machine (Destroy
it if you so choose, once the DC has been removed from AD) and bring up a
new machine with the exact same name and install CA services and do a CA
restore. I don't believe you need to do an Authoritative Restore on your CA
just do a CA backup and CA restore.

See the article below:
http://support.microsoft.com/kb/298138

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jprstokato" <> wrote in message
news:E4299B2B-405F-4EFA-9FA7-...
> Following Option B (Keep the CA on the original host and move the domain
> controller) of Technet article
> http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
> controller cannot be removed from a host on which the CA is installed. To
> remove the domain controller, the CA must first be uninstalled from the
> original host), and the DC can then be demoted, and the CA service
> reinstalled.
>
> (NB. The DC is not FSMO role master, and there are other DCs available in
> the local site)
> We plan to backup the system state, and also take a P2V of the DC
> We plan to follow the article closely, however my concern is whether we
> will
> be able to recover the server (as a DC) in the event that CA service does
> not
> reinstall correctly.
> I don't believe it's possible to simply restore a DC from a system state
> backup as the DC will have already been removed from AD?
> There are plenty of web articles explaining how to recover a failed DC -
> but
> not one that has been demoted!
> Is the correct procedure to 're-promote the DC (to repopulate as DC in
> AD),
> and then perform a restore (i.e. from F8 - Directory Services Restore), or
> will that not present the DC with a different GUID which would then pose
> problems if a system restore is performed which would revert it to the
> previous state)
> Is it necessary to suspend replication from the server during the removal
> of
> CA and demotion?
> Bearing in mind that our objective is to demote the server, is it even
> necessary to re-promote it? However the conundrum seems to lie in the fact
> that if a restore is performed, it will re-mark it as a DC.
> Very confusing! What is the correct procedure?
>
> Can you think of any other measures that can be taken to ensure that we
> can
> recover the DC with CA service restored to its previous state, or that
> could
> protect the CA itself?
>

Hi
The correct order of doing things is to have the CA in a dedicated server
and never in a DC. If you're cloning the DC and the CA that is installed on
it there's a good chance of things go wrong. Genereally isolating the DC
from network connectivity previnting replication and Cert Autoenroll should
be enough to do the P2V, but there're other things to consider, for example
security of that server and the CA. Think about it before going that way.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"jprstokato" <> wrote in message
news:E4299B2B-405F-4EFA-9FA7-...
> Following Option B (Keep the CA on the original host and move the domain
> controller) of Technet article
> http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
> controller cannot be removed from a host on which the CA is installed. To
> remove the domain controller, the CA must first be uninstalled from the
> original host), and the DC can then be demoted, and the CA service
> reinstalled.
>
> (NB. The DC is not FSMO role master, and there are other DCs available in
> the local site)
> We plan to backup the system state, and also take a P2V of the DC
> We plan to follow the article closely, however my concern is whether we
> will
> be able to recover the server (as a DC) in the event that CA service does
> not
> reinstall correctly.
> I don’t believe it’s possible to simply restore a DC from a system state
> backup as the DC will have already been removed from AD?
> There are plenty of web articles explaining how to recover a failed DC –
> but
> not one that has been demoted!
> Is the correct procedure to ‘re-promote the DC (to repopulate as DC in
> AD),
> and then perform a restore (i.e. from F8 – Directory Services Restore), or
> will that not present the DC with a different GUID which would then pose
> problems if a system restore is performed which would revert it to the
> previous state)
> Is it necessary to suspend replication from the server during the removal
> of
> CA and demotion?
> Bearing in mind that our objective is to demote the server, is it even
> necessary to re-promote it? However the conundrum seems to lie in the fact
> that if a restore is performed, it will re-mark it as a DC.
> Very confusing! What is the correct procedure?
>
> Can you think of any other measures that can be taken to ensure that we
> can
> recover the DC with CA service restored to its previous state, or that
> could
> protect the CA itself?
>

Thanks for your reply.
As per original article referred to (742388), we will be recovering CA onto
the 'same' server. however this may give another layer of possible DR i.e. to
use Option A, and recover to a different server... And I take note (thanks)
of your comment that this cannot be from 32 to 64 bit.
Kind Regards. JPSR.

"Paul Bergson [MVP-DS]" wrote:

> I have had some concerns lately about DR and CA's which partially relate to
> what you have brought up. Microsoft is evolving to 64 bit and my guess is
> this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit system
> and there is currently no way that I am aware of to do this. So mark that
> down that the DR machine (bit size) has to EXACTLY match, as well as the
> system32 path needs to be equivalent.
>
> I think you can do a backup of your CA database, demote the machine (Destroy
> it if you so choose, once the DC has been removed from AD) and bring up a
> new machine with the exact same name and install CA services and do a CA
> restore. I don't believe you need to do an Authoritative Restore on your CA
> just do a CA backup and CA restore.
>
> See the article below:
> http://support.microsoft.com/kb/298138
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "jprstokato" <> wrote in message
> news:E4299B2B-405F-4EFA-9FA7-...
> > Following Option B (Keep the CA on the original host and move the domain
> > controller) of Technet article
> > http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
> > controller cannot be removed from a host on which the CA is installed. To
> > remove the domain controller, the CA must first be uninstalled from the
> > original host), and the DC can then be demoted, and the CA service
> > reinstalled.
> >
> > (NB. The DC is not FSMO role master, and there are other DCs available in
> > the local site)
> > We plan to backup the system state, and also take a P2V of the DC
> > We plan to follow the article closely, however my concern is whether we
> > will
> > be able to recover the server (as a DC) in the event that CA service does
> > not
> > reinstall correctly.
> > I don't believe it's possible to simply restore a DC from a system state
> > backup as the DC will have already been removed from AD?
> > There are plenty of web articles explaining how to recover a failed DC -
> > but
> > not one that has been demoted!
> > Is the correct procedure to 're-promote the DC (to repopulate as DC in
> > AD),
> > and then perform a restore (i.e. from F8 - Directory Services Restore), or
> > will that not present the DC with a different GUID which would then pose
> > problems if a system restore is performed which would revert it to the
> > previous state)
> > Is it necessary to suspend replication from the server during the removal
> > of
> > CA and demotion?
> > Bearing in mind that our objective is to demote the server, is it even
> > necessary to re-promote it? However the conundrum seems to lie in the fact
> > that if a restore is performed, it will re-mark it as a DC.
> > Very confusing! What is the correct procedure?
> >
> > Can you think of any other measures that can be taken to ensure that we
> > can
> > recover the DC with CA service restored to its previous state, or that
> > could
> > protect the CA itself?
> >
>
>
>

Thanks for your reply Jorge.
You're Absolutely correct. Unfortunately the decision to put the CA on a DC
was before my time at the company. It is exactly this that is cousing me the
problem . I take your point, and also agree that switch over to a clone
would pose problems.
Regards, JPSR

"Jorge Silva" wrote:

> Hi
> The correct order of doing things is to have the CA in a dedicated server
> and never in a DC. If you're cloning the DC and the CA that is installed on
> it there's a good chance of things go wrong. Genereally isolating the DC
> from network connectivity previnting replication and Cert Autoenroll should
> be enough to do the P2V, but there're other things to consider, for example
> security of that server and the CA. Think about it before going that way.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "jprstokato" <> wrote in message
> news:E4299B2B-405F-4EFA-9FA7-...
> > Following Option B (Keep the CA on the original host and move the domain
> > controller) of Technet article
> > http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
> > controller cannot be removed from a host on which the CA is installed. To
> > remove the domain controller, the CA must first be uninstalled from the
> > original host), and the DC can then be demoted, and the CA service
> > reinstalled.
> >
> > (NB. The DC is not FSMO role master, and there are other DCs available in
> > the local site)
> > We plan to backup the system state, and also take a P2V of the DC
> > We plan to follow the article closely, however my concern is whether we
> > will
> > be able to recover the server (as a DC) in the event that CA service does
> > not
> > reinstall correctly.
> > I don’t believe it’s possible to simply restore a DC from a system state
> > backup as the DC will have already been removed from AD?
> > There are plenty of web articles explaining how to recover a failed DC –
> > but
> > not one that has been demoted!
> > Is the correct procedure to ‘re-promote the DC (to repopulate as DC in
> > AD),
> > and then perform a restore (i.e. from F8 – Directory Services Restore), or
> > will that not present the DC with a different GUID which would then pose
> > problems if a system restore is performed which would revert it to the
> > previous state)
> > Is it necessary to suspend replication from the server during the removal
> > of
> > CA and demotion?
> > Bearing in mind that our objective is to demote the server, is it even
> > necessary to re-promote it? However the conundrum seems to lie in the fact
> > that if a restore is performed, it will re-mark it as a DC.
> > Very confusing! What is the correct procedure?
> >
> > Can you think of any other measures that can be taken to ensure that we
> > can
> > recover the DC with CA service restored to its previous state, or that
> > could
> > protect the CA itself?
> >
>

Many thanks for your input Meinolf.
Regards, JPSR.


"Meinolf Weber [MVP-DS]" wrote:

> Hello jprstokato,
>
> First, this kind of steps you should always test in a LAB envrionment before!!!
>
> Are you using 2008 as mentioned in the article?
>
> If the server is demoted and removed from AD database you have to reinstall
> it. Do NOT connect the VM after demoting the server to the network.
>
> If you need to restore the DC which is removed from AD database, you have
> to restore also AD on the existing DC's to a previous state when the old
> DC was not demoted. Personally i would prevent this.
>
> If you follow the article you should be save.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Following Option B (Keep the CA on the original host and move the
> > domain controller) of Technet article
> > http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
> > controller cannot be removed from a host on which the CA is installed.
> > To remove the domain controller, the CA must first be uninstalled from
> > the original host), and the DC can then be demoted, and the CA service
> > reinstalled.
> >
> > (NB. The DC is not FSMO role master, and there are other DCs
> > available in
> > the local site)
> > We plan to backup the system state, and also take a P2V of the DC
> > We plan to follow the article closely, however my concern is whether
> > we will
> > be able to recover the server (as a DC) in the event that CA service
> > does not
> > reinstall correctly.
> > I don't believe it's possible to simply restore a DC from a system
> > state
> > backup as the DC will have already been removed from AD?
> > There are plenty of web articles explaining how to recover a failed DC
> > - but
> > not one that has been demoted!
> > Is the correct procedure to 're-promote the DC (to repopulate as DC in
> > AD),
> > and then perform a restore (i.e. from F8 - Directory Services
> > Restore), or
> > will that not present the DC with a different GUID which would then
> > pose
> > problems if a system restore is performed which would revert it to the
> > previous state)
> > Is it necessary to suspend replication from the server during the
> > removal of
> > CA and demotion?
> > Bearing in mind that our objective is to demote the server, is it even
> > necessary to re-promote it? However the conundrum seems to lie in the
> > fact
> > that if a restore is performed, it will re-mark it as a DC.
> > Very confusing! What is the correct procedure?
> > Can you think of any other measures that can be taken to ensure that
> > we can recover the DC with CA service restored to its previous state,
> > or that could protect the CA itself?
> >
>
>
>

Understood you wanted to do same server, but in a DR you will be surprised
how many things are happening at once. Just wanted to give you some other
views. Best of luck.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jprstokato" <> wrote in message
news:3753221D-A6E8-488B-B6D5-...
> Thanks for your reply.
> As per original article referred to (742388), we will be recovering CA
> onto
> the 'same' server. however this may give another layer of possible DR i.e.
> to
> use Option A, and recover to a different server... And I take note
> (thanks)
> of your comment that this cannot be from 32 to 64 bit.
> Kind Regards. JPSR.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I have had some concerns lately about DR and CA's which partially relate
>> to
>> what you have brought up. Microsoft is evolving to 64 bit and my guess
>> is
>> this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit
>> system
>> and there is currently no way that I am aware of to do this. So mark
>> that
>> down that the DR machine (bit size) has to EXACTLY match, as well as the
>> system32 path needs to be equivalent.
>>
>> I think you can do a backup of your CA database, demote the machine
>> (Destroy
>> it if you so choose, once the DC has been removed from AD) and bring up a
>> new machine with the exact same name and install CA services and do a CA
>> restore. I don't believe you need to do an Authoritative Restore on your
>> CA
>> just do a CA backup and CA restore.
>>
>> See the article below:
>> http://support.microsoft.com/kb/298138
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "jprstokato" <> wrote in message
>> news:E4299B2B-405F-4EFA-9FA7-...
>> > Following Option B (Keep the CA on the original host and move the
>> > domain
>> > controller) of Technet article
>> > http://technet.microsoft.com/en-us/l.../cc742388.aspx ; a domain
>> > controller cannot be removed from a host on which the CA is installed.
>> > To
>> > remove the domain controller, the CA must first be uninstalled from the
>> > original host), and the DC can then be demoted, and the CA service
>> > reinstalled.
>> >
>> > (NB. The DC is not FSMO role master, and there are other DCs available
>> > in
>> > the local site)
>> > We plan to backup the system state, and also take a P2V of the DC
>> > We plan to follow the article closely, however my concern is whether we
>> > will
>> > be able to recover the server (as a DC) in the event that CA service
>> > does
>> > not
>> > reinstall correctly.
>> > I don't believe it's possible to simply restore a DC from a system
>> > state
>> > backup as the DC will have already been removed from AD?
>> > There are plenty of web articles explaining how to recover a failed
>> > DC -
>> > but
>> > not one that has been demoted!
>> > Is the correct procedure to 're-promote the DC (to repopulate as DC in
>> > AD),
>> > and then perform a restore (i.e. from F8 - Directory Services Restore),
>> > or
>> > will that not present the DC with a different GUID which would then
>> > pose
>> > problems if a system restore is performed which would revert it to the
>> > previous state)
>> > Is it necessary to suspend replication from the server during the
>> > removal
>> > of
>> > CA and demotion?
>> > Bearing in mind that our objective is to demote the server, is it even
>> > necessary to re-promote it? However the conundrum seems to lie in the
>> > fact
>> > that if a restore is performed, it will re-mark it as a DC.
>> > Very confusing! What is the correct procedure?
>> >
>> > Can you think of any other measures that can be taken to ensure that we
>> > can
>> > recover the DC with CA service restored to its previous state, or that
>> > could
>> > protect the CA itself?
>> >
>>
>>
>>