2

I'm trying to bind Windows 2008 SBS server to OS X Open Directory, but the Change domain button is grayed out with this message:

Note: The identification of the computer cannot be changed because:
- The Certification Authority Service is installed on this computer.

How do I remove the Certification Authority Service?

Ryan Collins
  • 83
  • 5

1 Answers1

1

Whoa. Stop. Think about what you're doing! You're trying to change the domain SBS is a part of. This is very very bad news. Most things in SBS depend on the domain they were installed to (Exchange, IIS, Sharepoint, Etc.). When you change that domain, you break just about everything. You also may be violating the SBS license here because SBS cannot hold all FSMO roles in an Open Directory setup (which is a requirement of SBS. A requirement which, if not met, leads to the server shutting down every 2 hours). Please rethink this, Mr. Collins.

As for removing the Certificate Authority service, that can be done through Server Manager's features tab, but it will break things. Also, you won't be able to change the domain without first dcpromo-ing it down. I have warned you though, you do this and you break everything, possibly the license agreement included.

A better idea is to join your Mac infrastructure to Active Directory or even have 2 directories, one for mac, the other for PC. This would be preferred over losing AD goodness and damaging your server to this extent.

Jason Berg
  • 19,084
  • 6
  • 40
  • 55
  • Well, crap. This server is only for Windows Terminal Services, and I wanted to connect to OD to authenticate users and mount their home folders. I guess I can just use Windows 2003 Server. – Ryan Collins Aug 16 '10 at 14:52
  • I don't think this point can be stated enough "A better idea is to join your Mac infrastructure to Active Directory". If you have an AD infrastructure there is no need to maintain open directory. See http://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf if you still want to maintain 2 directories and integrate the 2. – Jim B Aug 16 '10 at 15:09
  • Lol, I guess I wasn't clear enough. We don't have an AD infrastructure, everything is in Open Directory. It doesn't make sense to set up AD just for one server for terminal services, does it? – Ryan Collins Aug 16 '10 at 15:18
  • SBS really shouldn't be used for Terminal Services anyways. Changing the mode from remote desktop for administration will lead to an error and is unsupported http://blogs.technet.com/b/sbs/archive/2008/09/26/can-i-use-terminal-services-in-sbs-2008.aspx – Jason Berg Aug 16 '10 at 15:19
  • That's good to know, thanks Jason! I already have a license for 2003, so that's where I'm going. – Ryan Collins Aug 16 '10 at 15:23
  • Yes, AD may not be needed for a single Windows machine in a Mac environment. But if you have more than 1 Windows machine (not just servers, desktops included), AD can pay off real quickly. 5 or more machines and it is a HUGE timesaver (Group Policy...it's amazingness) – Jason Berg Aug 16 '10 at 15:25