I need to remove all certificate services from AD and then setup a new CA
-
@JaredBusch said:
Will I end up with client access issues?
Were any Certs used for anything like 802.1x etc.? AD does not use Certs or the CA for most authentication so normal domain commuication should not be affect with clients by the lack of a CA.
-
Did you update GPO to reflect the new server info?
https://technet.microsoft.com/en-us/library/cc947849(v=ws.10).aspx -
@JaredBusch said:
@Dashrender said:
Did you fully migrate away from SBS?
@JaredBusch said:
The new server was made a domain controller and gracefully transferred the FSMO roles.
This does not mean a full migration.
-
@thecreativeone91 said:
@JaredBusch said:
Will I end up with client access issues?
Were any Certs used for anything like 802.1x etc.? AD does not use Certs or the CA for most authentication so normal domain commuication should not be affect with clients by the lack of a CA.
This was an SBS install, so the original CA was setup as part of that default install.
There is nothing special on the network for authentication that needs a cert.Until I had a problem with the VMC, I did not even have the CA installed on the new DC.
I installed the CA yesterday as noted above and still had the problem. I booted the SBS server back up and VMC worked again. I shut it back down in order to resolve this.
-
@Dashrender said:
This does not mean a full migration.
Actually, it pretty much does, the SBS server will only run for 21 days after the FSMO roles have migrated, so that should always be the last step other than demoting itself.
-
@GregoryHall said:
Did you update GPO to reflect the new server info?
https://technet.microsoft.com/en-us/library/cc947849(v=ws.10).aspxNo, checking this out now, thanks.
-
-
@JaredBusch said:
@thecreativeone91 said:
@JaredBusch said:
Will I end up with client access issues?
Were any Certs used for anything like 802.1x etc.? AD does not use Certs or the CA for most authentication so normal domain commuication should not be affect with clients by the lack of a CA.
This was an SBS install, so the original CA was setup as part of that default install.
There is nothing special on the network for authentication that needs a cert.Until I had a problem with the VMC, I did not even have the CA installed on the new DC.
I installed the CA yesterday as noted above and still had the problem. I booted the SBS server back up and VMC worked again. I shut it back down in order to resolve this.
It sounds like you have two root CA's and the Certs are still coming from the old CA.
-
@JaredBusch said:
@Dashrender said:
This does not mean a full migration.
Actually, it pretty much does, the SBS server will only run for 21 days after the FSMO roles have migrated, so that should always be the last step other than demoting itself.
Well you have 21 days. but the BP is to uninstall Exchange from SBS, demote the SBS and then unjoin it from the domain before the 21 days are up.
-
@GregoryHall said:
@JaredBusch https://technet.microsoft.com/en-us/library/dd807084.aspx
That is easy now that I know I missed the step.
The hard part now is finding which SBS policy pushed it out and updating it.
-
@thecreativeone91 said:
Well you have 21 days. but the BP is to uninstall Exchange from SBS, demote the SBS and then unjoin it from the domain before the 21 days are up.
I have until I arrive tomorrow to complete the demote and unjoin.
-
@JaredBusch http://www.bursky.net/index.php/2012/02/disable-sbs-migration-grace-period-expiration/
Disable the grace period check it will buy you more time if needed. -
@GregoryHall said:
@JaredBusch http://www.bursky.net/index.php/2012/02/disable-sbs-migration-grace-period-expiration/
Disable the grace period check it will buy you more time if needed.No, the hardware is failed. The grace period is not the problem.
But from the looks of this I can fix the CA regardless of the old DC being online.
The only thing this impacts is me being able to open a console from the Hyper-v manager.
Still want it fixed before tomorrow though..
-
@GregoryHall said:
@JaredBusch http://www.bursky.net/index.php/2012/02/disable-sbs-migration-grace-period-expiration/
Disable the grace period check it will buy you more time if needed.That doesn't work on SBS 2008 as there is no sbscrexe.exe and the grace period works differently.
-
Or I can update the DNS settings on the Hyper-V server to point to the new DC.
Then everything starts working like magic.
#simplethings
-
Related: The SQL server logs in much faster when I update the DNS there too.
I should sleep more when dealing with a crisis.
-
@thecreativeone91 said:
Well you have 21 days. but the BP is to uninstall Exchange from SBS, demote the SBS and then unjoin it from the domain before the 21 days are up.
There goes exchange.