Migrating PKI and CA of a Domain Controller that needs to be demoted

Question

I have a Domain Controller that for some reason beyond me has ADCS installed on it. The domain controller is a 2008 R2 server and needs to be demoted, but first I need to do one of two things. This same server also runs DHCP, NPS (RADIUS server),and other third party software.

My Options (according to me) 1. Migrate ADCS to a different server (it would be a new machine with 2012 R2). https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx 2. Spin up an offline non-domain joined root CA and have a live domain joined issuing CA. I would then backup ADCS on the domain controller, revoke any issued certificates and remove the server roles.

It would seem that for option 1 to work i need to migrate the computer name and IP as well. If I go with option 2, what steps can I take to mitigate the possible impact. Currently the CA has issued 9 certificates. However, only 3 have not expired, 2 of those expire in the coming week, the third one a year from now.

What would be the best way to get ADCS off this domain controller?

Answer 1

With only one valid certificate depending on the existing CA after this week, I would do the following:

• Spin up an entirely new parallel PKI infrastructure (however complicated you care to make it)
• Generate a new cert to replace the one remaining and migrate the application to use the new cert
• Decommission the old CA entirely.

If the two certs that are expiring need to be renewed and you can get the new CA up before then, just generate them fresh from the new CA. Otherwise, renew from the old and migrate them the same way as the other one.