This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 71%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi, folks. We have a domain controller with AD Certificate Services installed as our root CA, and I'd like to demote it from being a DC which requires first uninstalling AD CS.
Can we backup CA private key and database, uninstall AD CS role, demote as DC, then turn right around and reinstall AD CS, restore CA from backup key/database with no ill effects? Does uninstalling the role automatically revoke certs issues by this CA, or is that untouched, and so none should be the wiser?
Before uninstalling AD CS role should we first lengthen the CRL publish time and increase certificate expiry or anything?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
Q1: Can we backup CA private key and database, uninstall AD CS role, demote as DC, then turn right around and reinstall AD CS, restore CA from backup key/database with no ill effects?
A1: There will be two options, one is to migrate the CA to a new host and the second is to keep the CA on the original host and move the domain controller. For more information about the steps, we could refer to:
https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN
Q2: Does uninstalling the role automatically revoke certs issues by this CA, or is that untouched, and so none should be the wiser?
A2: No, uninstalling the role will not automatically revoke certs. After the re-installation or migration, we will verify whether everything works fine. Besides, it is suggested doing this during the downtime.
Q3: Before uninstalling AD CS role should we first lengthen the CRL publish time and increase certificate expiry or anything?
A3: Yes, it is recommended to publish a CRL with a long validity period. We could also refer to the provided document about this, which describes the performance in details.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hello @Starlessblack ,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?
Besides, there is email notifications function on this forum. It is suggested that we could set it up so that we could receive prompts for responses in time.
https://video2.skills-academy.com/en-us/answers/articles/67444/email-notifications.html
Thank you so much for your time and support.
Best regards,
Hannah Xiong