Demotion of DC with Certificate Services: Disaster Recovery Plan?

Discussion in 'Server Security' started by jprstokato, May 27, 2009.

  1. jprstokato

    jprstokato Guest

    Following Option B (Keep the CA on the original host and move the domain
    controller) of Technet article
    http://technet.microsoft.com/en-us/library/cc742388.aspx ; a domain
    controller cannot be removed from a host on which the CA is installed. To
    remove the domain controller, the CA must first be uninstalled from the
    original host), and the DC can then be demoted, and the CA service
    reinstalled.

    (NB. The DC is not FSMO role master, and there are other DCs available in
    the local site)
    We plan to backup the system state, and also take a P2V of the DC
    We plan to follow the article closely, however my concern is whether we will
    be able to recover the server (as a DC) in the event that CA service does not
    reinstall correctly.
    I don’t believe it’s possible to simply restore a DC from a system state
    backup as the DC will have already been removed from AD?
    There are plenty of web articles explaining how to recover a failed DC – but
    not one that has been demoted!
    Is the correct procedure to ‘re-promote the DC (to repopulate as DC in AD),
    and then perform a restore (i.e. from F8 – Directory Services Restore), or
    will that not present the DC with a different GUID which would then pose
    problems if a system restore is performed which would revert it to the
    previous state)
    Is it necessary to suspend replication from the server during the removal of
    CA and demotion?
    Bearing in mind that our objective is to demote the server, is it even
    necessary to re-promote it? However the conundrum seems to lie in the fact
    that if a restore is performed, it will re-mark it as a DC.
    Very confusing! What is the correct procedure?

    Can you think of any other measures that can be taken to ensure that we can
    recover the DC with CA service restored to its previous state, or that could
    protect the CA itself?
     
    jprstokato, May 27, 2009
    #1
    1. Advertisements

  2. Hello jprstokato,

    First, this kind of steps you should always test in a LAB envrionment before!!!

    Are you using 2008 as mentioned in the article?

    If the server is demoted and removed from AD database you have to reinstall
    it. Do NOT connect the VM after demoting the server to the network.

    If you need to restore the DC which is removed from AD database, you have
    to restore also AD on the existing DC's to a previous state when the old
    DC was not demoted. Personally i would prevent this.

    If you follow the article you should be save.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 27, 2009
    #2
    1. Advertisements

  3. jprstokato

    jprstokato Guest

    First, this kind of steps you should always test in a LAB environment
    before!!!

    Are you using 2008 as mentioned in the article?
    If the server is demoted and removed from AD database you have to reinstall
    it. Do NOT connect the VM after demoting the server to the network.
    If you need to restore the DC which is removed from AD database, you have
    to restore also AD on the existing DC's to a previous state when the old
    DC was not demoted. Personally i would prevent this.
     
    jprstokato, May 27, 2009
    #3
  4. Hello jprstokato,

    Also inline.

    Best regards

    Meinolf Weber


    Just to talk about the correct OS version, because you didn't mention it.
    That's correct, it will be moved to the computers container after demoting.
    I understand your question the way, that you like to get back the DC with
    CA installed in case something fails during demotion/CA moving etc., so that
    you can go back to the state before starting the changes. So at that point
    it was still a DC and the AD database also must include the inforamtion about.
     
    Meinolf Weber [MVP-DS], May 27, 2009
    #4
  5. I have had some concerns lately about DR and CA's which partially relate to
    what you have brought up. Microsoft is evolving to 64 bit and my guess is
    this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit system
    and there is currently no way that I am aware of to do this. So mark that
    down that the DR machine (bit size) has to EXACTLY match, as well as the
    system32 path needs to be equivalent.

    I think you can do a backup of your CA database, demote the machine (Destroy
    it if you so choose, once the DC has been removed from AD) and bring up a
    new machine with the exact same name and install CA services and do a CA
    restore. I don't believe you need to do an Authoritative Restore on your CA
    just do a CA backup and CA restore.

    See the article below:
    http://support.microsoft.com/kb/298138
     
    Paul Bergson [MVP-DS], May 27, 2009
    #5
  6. jprstokato

    Jorge Silva Guest

    Hi
    The correct order of doing things is to have the CA in a dedicated server
    and never in a DC. If you're cloning the DC and the CA that is installed on
    it there's a good chance of things go wrong. Genereally isolating the DC
    from network connectivity previnting replication and Cert Autoenroll should
    be enough to do the P2V, but there're other things to consider, for example
    security of that server and the CA. Think about it before going that way.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MVP Directory Services
     
    Jorge Silva, May 27, 2009
    #6
  7. jprstokato

    jprstokato Guest

    Thanks for your reply.
    As per original article referred to (742388), we will be recovering CA onto
    the 'same' server. however this may give another layer of possible DR i.e. to
    use Option A, and recover to a different server... And I take note (thanks)
    of your comment that this cannot be from 32 to 64 bit.
    Kind Regards. JPSR.
     
    jprstokato, May 28, 2009
    #7
  8. jprstokato

    jprstokato Guest

    Thanks for your reply Jorge.
    You're Absolutely correct. Unfortunately the decision to put the CA on a DC
    was before my time at the company. It is exactly this that is cousing me the
    problem ;). I take your point, and also agree that switch over to a clone
    would pose problems.
    Regards, JPSR
     
    jprstokato, May 28, 2009
    #8
  9. jprstokato

    jprstokato Guest

    Many thanks for your input Meinolf.
    Regards, JPSR.
     
    jprstokato, May 28, 2009
    #9
  10. Understood you wanted to do same server, but in a DR you will be surprised
    how many things are happening at once. Just wanted to give you some other
    views. Best of luck.
     
    Paul Bergson [MVP-DS], May 28, 2009
    #10
  11. jprstokato

    Jorge Silva Guest

    Perhaps, since that you're changing things, you could start a new design :)

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MVP Directory Services
     
    Jorge Silva, May 28, 2009
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.