1,922 questions
We were able to solve it by installing some missing CA role features, not configuring the CA since we don't want it anymore and then removing the role.
Error removing Certificate Authority role
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Daniel Kaliel
1,346
Reputation points
We had a server with Server 2008 R2 on it. It used to be a certificate authority on the domain. We removed this role from the server, restarted a few times and then did an in-place upgrade on this server to 2012 R2. When the server came back online the CA role had returned but shows in a failed state.
We ran sfc /scannow and it reports no issues.
If we try to remove the role with server manager or via powershell with Remove-WindowsFeature -Name AD-Certificate we get the error:
"A prerequisite check for the AD-Certificate feature failed. 1. The status of the role services on the target machine could not be determined. Please retry. The error is The term 'Get-InternalAdcsConfigurationState' is not recognized as the name of a cmdlet."
Windows for business | Windows Server | Devices and deployment | Configure application groups
Accepted answer
2 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-12-01T23:36:06.993+00:00 In-place upgrades are risky and never recommended because of (among other thing) corruption carry-forward. The cleaner much simpler method is to stand up a new one for replacement.
I'd use dcdiag / repadmin tools to verify health
correcting all errors foundbefore startinganyoperations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.Then at some point either after (if not already done) I'd recommend migrating sysvol replication from older FRS technology to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405--please don't forget to Accept as answer if the reply is helpful--
-
Daniel Kaliel 1,346 Reputation points
2020-12-01T23:41:34.97+00:00 First budget constraints prevent the standing up of a new server. But more than that, this server is not to be a domain controller or certificate authority, just a member server running a single task until budget constraints are eased so a new server can be stood up.
Given that, dcdiag /repadmin and anything domain controller related are not necessary here. All we are looking to do is cleanup the current in-place upgrade and fully remove the CA role from it. The rest of the infrastructure (CA's and domain controllers) are in good health.
-
Anonymous
2020-12-02T02:37:43.313+00:00 we are looking to do is cleanup the current in-place upgrade
From what you have described it doesn't look to be possible. Another option is to start a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness--please don't forget to
Accept as answerif the reply is helpful-- -
Daniel Kaliel 1,346 Reputation points
2020-12-03T16:27:26.817+00:00 We were able to solve it by installing some missing CA role features, not configuring the CA since we don't want it anymore and then removing the role.
-
Daniel Kaliel 1,346 Reputation points
2020-12-03T16:32:57.8+00:00 We were able to solve it by installing some missing CA role features, not configuring the CA since we don't want it anymore and then removing the role.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Vicky Wang 2,741 Reputation points2020-12-02T09:13:49.987+00:00 Hi,
If you have already installed the Active Directory Certificate Services (AD CS) before promoting the computer to a Domain Controller, you will have to remove the Certificate Services role first, and then add the AD DS role again.
If the Certificate Service was removed, no certificate can be issued and certificate revocation lists (CRLs) cannot be published.
I would suggest you first follow the steps in this KB article to move a certification authority to another server, then remove the AD CS role and promote the computer to a Domain Controller:
https://support.microsoft.com/en-us/kb/298138
Hope this helps.
Regards,
Vicky-
Daniel Kaliel 1,346 Reputation points
2020-12-03T16:34:56.1+00:00 That's not what we were looking to do. As I described we had already removed the CA role from this server and it came back after an in-place upgrade of the server. We solved the issue by adding missing CA components, not configuring the CA, and then removing the role again.
Sign in to comment -