Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Re: Demotion of DC with Certificate Services: Disaster Recovery Plan?
Re: Demotion of DC with Certificate Services: Disaster Recovery Plan? [message #155329] Wed, 27 May 2009 08:46 Go to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I have had some concerns lately about DR and CA's which partially relate to
what you have brought up. Microsoft is evolving to 64 bit and my guess is
this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit system
and there is currently no way that I am aware of to do this. So mark that
down that the DR machine (bit size) has to EXACTLY match, as well as the
system32 path needs to be equivalent.

I think you can do a backup of your CA database, demote the machine (Destroy
it if you so choose, once the DC has been removed from AD) and bring up a
new machine with the exact same name and install CA services and do a CA
restore. I don't believe you need to do an Authoritative Restore on your CA
just do a CA backup and CA restore.

See the article below:
http://support.microsoft.com/kb/298138

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
news:E4299B2B-405F-4EFA-9FA7-478E9A1D5235@microsoft.com...
> Following Option B (Keep the CA on the original host and move the domain
> controller) of Technet article
> http://technet.microsoft.com/en-us/library/cc742388.aspx ; a domain
> controller cannot be removed from a host on which the CA is installed. To
> remove the domain controller, the CA must first be uninstalled from the
> original host), and the DC can then be demoted, and the CA service
> reinstalled.
>
> (NB. The DC is not FSMO role master, and there are other DCs available in
> the local site)
> We plan to backup the system state, and also take a P2V of the DC
> We plan to follow the article closely, however my concern is whether we
> will
> be able to recover the server (as a DC) in the event that CA service does
> not
> reinstall correctly.
> I don't believe it's possible to simply restore a DC from a system state
> backup as the DC will have already been removed from AD?
> There are plenty of web articles explaining how to recover a failed DC -
> but
> not one that has been demoted!
> Is the correct procedure to 're-promote the DC (to repopulate as DC in
> AD),
> and then perform a restore (i.e. from F8 - Directory Services Restore), or
> will that not present the DC with a different GUID which would then pose
> problems if a system restore is performed which would revert it to the
> previous state)
> Is it necessary to suspend replication from the server during the removal
> of
> CA and demotion?
> Bearing in mind that our objective is to demote the server, is it even
> necessary to re-promote it? However the conundrum seems to lie in the fact
> that if a restore is performed, it will re-mark it as a DC.
> Very confusing! What is the correct procedure?
>
> Can you think of any other measures that can be taken to ensure that we
> can
> recover the DC with CA service restored to its previous state, or that
> could
> protect the CA itself?
>
Re: Demotion of DC with Certificate Services: Disaster Recovery Pl [message #155360 is a reply to message #155329] Wed, 27 May 2009 21:55 Go to previous messageGo to next message
jprstokato  is currently offline jprstokato
Messages: 28
Registered: September 2009
Junior Member
Thanks for your reply.
As per original article referred to (742388), we will be recovering CA onto
the 'same' server. however this may give another layer of possible DR i.e. to
use Option A, and recover to a different server... And I take note (thanks)
of your comment that this cannot be from 32 to 64 bit.
Kind Regards. JPSR.

"Paul Bergson [MVP-DS]" wrote:

> I have had some concerns lately about DR and CA's which partially relate to
> what you have brought up. Microsoft is evolving to 64 bit and my guess is
> this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit system
> and there is currently no way that I am aware of to do this. So mark that
> down that the DR machine (bit size) has to EXACTLY match, as well as the
> system32 path needs to be equivalent.
>
> I think you can do a backup of your CA database, demote the machine (Destroy
> it if you so choose, once the DC has been removed from AD) and bring up a
> new machine with the exact same name and install CA services and do a CA
> restore. I don't believe you need to do an Authoritative Restore on your CA
> just do a CA backup and CA restore.
>
> See the article below:
> http://support.microsoft.com/kb/298138
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
> news:E4299B2B-405F-4EFA-9FA7-478E9A1D5235@microsoft.com...
> > Following Option B (Keep the CA on the original host and move the domain
> > controller) of Technet article
> > http://technet.microsoft.com/en-us/library/cc742388.aspx ; a domain
> > controller cannot be removed from a host on which the CA is installed. To
> > remove the domain controller, the CA must first be uninstalled from the
> > original host), and the DC can then be demoted, and the CA service
> > reinstalled.
> >
> > (NB. The DC is not FSMO role master, and there are other DCs available in
> > the local site)
> > We plan to backup the system state, and also take a P2V of the DC
> > We plan to follow the article closely, however my concern is whether we
> > will
> > be able to recover the server (as a DC) in the event that CA service does
> > not
> > reinstall correctly.
> > I don't believe it's possible to simply restore a DC from a system state
> > backup as the DC will have already been removed from AD?
> > There are plenty of web articles explaining how to recover a failed DC -
> > but
> > not one that has been demoted!
> > Is the correct procedure to 're-promote the DC (to repopulate as DC in
> > AD),
> > and then perform a restore (i.e. from F8 - Directory Services Restore), or
> > will that not present the DC with a different GUID which would then pose
> > problems if a system restore is performed which would revert it to the
> > previous state)
> > Is it necessary to suspend replication from the server during the removal
> > of
> > CA and demotion?
> > Bearing in mind that our objective is to demote the server, is it even
> > necessary to re-promote it? However the conundrum seems to lie in the fact
> > that if a restore is performed, it will re-mark it as a DC.
> > Very confusing! What is the correct procedure?
> >
> > Can you think of any other measures that can be taken to ensure that we
> > can
> > recover the DC with CA service restored to its previous state, or that
> > could
> > protect the CA itself?
> >
>
>
>
Re: Demotion of DC with Certificate Services: Disaster Recovery Pl [message #155367 is a reply to message #155360] Thu, 28 May 2009 08:18 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Understood you wanted to do same server, but in a DR you will be surprised
how many things are happening at once. Just wanted to give you some other
views. Best of luck.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
news:3753221D-A6E8-488B-B6D5-A14CDB7D9261@microsoft.com...
> Thanks for your reply.
> As per original article referred to (742388), we will be recovering CA
> onto
> the 'same' server. however this may give another layer of possible DR i.e.
> to
> use Option A, and recover to a different server... And I take note
> (thanks)
> of your comment that this cannot be from 32 to 64 bit.
> Kind Regards. JPSR.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I have had some concerns lately about DR and CA's which partially relate
>> to
>> what you have brought up. Microsoft is evolving to 64 bit and my guess
>> is
>> this is a 32 bit system. You can't upgrade/move a 32 bit to a 64 bit
>> system
>> and there is currently no way that I am aware of to do this. So mark
>> that
>> down that the DR machine (bit size) has to EXACTLY match, as well as the
>> system32 path needs to be equivalent.
>>
>> I think you can do a backup of your CA database, demote the machine
>> (Destroy
>> it if you so choose, once the DC has been removed from AD) and bring up a
>> new machine with the exact same name and install CA services and do a CA
>> restore. I don't believe you need to do an Authoritative Restore on your
>> CA
>> just do a CA backup and CA restore.
>>
>> See the article below:
>> http://support.microsoft.com/kb/298138
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
>> news:E4299B2B-405F-4EFA-9FA7-478E9A1D5235@microsoft.com...
>> > Following Option B (Keep the CA on the original host and move the
>> > domain
>> > controller) of Technet article
>> > http://technet.microsoft.com/en-us/library/cc742388.aspx ; a domain
>> > controller cannot be removed from a host on which the CA is installed.
>> > To
>> > remove the domain controller, the CA must first be uninstalled from the
>> > original host), and the DC can then be demoted, and the CA service
>> > reinstalled.
>> >
>> > (NB. The DC is not FSMO role master, and there are other DCs available
>> > in
>> > the local site)
>> > We plan to backup the system state, and also take a P2V of the DC
>> > We plan to follow the article closely, however my concern is whether we
>> > will
>> > be able to recover the server (as a DC) in the event that CA service
>> > does
>> > not
>> > reinstall correctly.
>> > I don't believe it's possible to simply restore a DC from a system
>> > state
>> > backup as the DC will have already been removed from AD?
>> > There are plenty of web articles explaining how to recover a failed
>> > DC -
>> > but
>> > not one that has been demoted!
>> > Is the correct procedure to 're-promote the DC (to repopulate as DC in
>> > AD),
>> > and then perform a restore (i.e. from F8 - Directory Services Restore),
>> > or
>> > will that not present the DC with a different GUID which would then
>> > pose
>> > problems if a system restore is performed which would revert it to the
>> > previous state)
>> > Is it necessary to suspend replication from the server during the
>> > removal
>> > of
>> > CA and demotion?
>> > Bearing in mind that our objective is to demote the server, is it even
>> > necessary to re-promote it? However the conundrum seems to lie in the
>> > fact
>> > that if a restore is performed, it will re-mark it as a DC.
>> > Very confusing! What is the correct procedure?
>> >
>> > Can you think of any other measures that can be taken to ensure that we
>> > can
>> > recover the DC with CA service restored to its previous state, or that
>> > could
>> > protect the CA itself?
>> >
>>
>>
>>
Previous Topic:Rise our FFL and DFL
Next Topic:Re: 2008 DC in trouble
Goto Forum:
  


Current Time: Thu Sep 21 08:23:41 EDT 2017

Total time taken to generate the page: 0.03250 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software