Is it possible to run a W2k8 Enterprise (AD-integrated) Certificate Authority on a server that it not a domain controller – mine currently is a DC and I do not remember whether this was a requirement? If so, can I run dcpromo to demote a server that currently is DC and runs the CA without invalidating that CA? I assume the answer to my first question should be "yes", because the server is only RODC, but I need to be sure not to accidentally destroy the CA.
Remove the DC role from a W2k8 server being an Enterprise CA
ad-certificate-servicescertificate-authoritydomain-controllerwindows-server-2008
Related Topic
- Active Directory – Adding New Root/Enterprise CA Without Disturbing Existing One
- Domain Controller promotion and certificate autoenrollment
- Certificate Template Missing from “Certificate Template to Issue”
- Powershell and remote signing
- Can dc metadata cleanup be done manually on Server 2008
- Kerberos Authentication – Fix Error Enrolling Kerberos Authentication Certificate in Sparse Network
Best Answer
Yes, it is possible to run the CA on a non-DC server. This is how our domain is set up. CA entries are published to a special area of Active Directory and does not require that a DC role be installed on the same server.
You should be able to dcpromo the server back to a non-DC role without any issue; the DC and CA roles are distinct from each other. Of course, I would recommend first making a backup of your CA (see http://technet.microsoft.com/en-us/library/cc725565.aspx). That way, if you have any issues whatsoever, you can restore your CA on a new server instance.