Unable To Join Domain Due To 'Certification Authority Service' 1

[Skittle]

I have a stand alone web server that I need to join to an
AD domain.

I have tried to join it by selecting

-Control panel
-System
-Network Identification Tab
-Click on 'Properties' to join to a domain

The problem is that this 'properties' button is greyed out.
Below the button is the text :-

'The identification of the computer cannot be changed because :- The certification authority service is installed on this computer'.

Anybody any idea how I can get round this?

I assume that the problem is that this computer has issued certificates and therfore the identity cannot be changed?




Dazed and confused

 

[ncotton]

1) you will need to know an Domain Admin uname and password.

right click on My Computer > Properties > Computer Name tab > "To rename this computer or join a domain, click Change", click Change > "Member of" section > radio enable Domain, and type FQDN (full dom name) > will ask for authorisation to join the domain, need Domain Admin acount.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[Skittle]

It takes me to the same option which is greyed out.

Dazed and confused

 

[ncotton]

Are you sure that you "stand alone" server hasn't got AD running on it...

quicked check......Start > Administrative Tools > see if there are any Active Directory consoles listed (Users and Computers etc)

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[Skittle]

The stuff in Administrative tools is pretty standard.

Componet Services, Configure Your Server, Data Sources ODBC, Distributed File System, Event Viewer, Internet Services Manager, Licensing, Local Security Policy, Performance, Routing and Remote Access, Server Extensions Admin, services, Telnet Server Admin, Certificate Authority and Terminal Services Manager.

It's the certificates configuratio on the server that's causing the problem I think. If I add 'Certificates' to the MMC snap in for the local computer, I get a large list.

I also can add Certification Authority (local) and get a few in there as well. These are the issuing certificates.
Although....they all look to have expired so I guess I could remove this option?

Dazed and confused

 

[ncotton]

I dont know why the certifucates would give you problems. Can you remove the assigned certificates, and join the domain, then reapply the certificates.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[Skittle]

I'm not to clear about certificates but I agree it seems odd that certificates would prevent the domain join.
I've compared the certificates with my standard XP machine and found a similar list so I don't think it's that which is the problem.

I think it's the specific 'Certification Authority (local)'
service. My XP machine does not have that service.
Since al the 'issued' certificates under the 'Certification Authority (local)' have expired I think I should just uninstall that service.

Bit scary though as I'm not certain about this.




Dazed and confused

 

[ncotton]

disable the service, the certificates will remain, and if you're doing something as drastic as joinign a new Domain, you have to accept that there are certain chanages. After you have rejoined the domain, if you are having issues related to the Certs, you can re-enable the service, and it will pick right back up.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[Skittle]

I had tried that but it made no differemce.
I think I have to uninstall the Certification Authority (local).

I think because the server has isued certificates or can isue certificates, you cannot change the identity of the server.



Dazed and confused

 

[ncotton]

thats what i meant, i was just meaning that you can still issue the same cets, if you reinstall the service afterwards...you wont loose any custom ones.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[Skittle]

Hmm OK. Sounds good.

There is also a backup and restore option in Certificate Authority (local) so I can make a backup of the certificates and stuf before I removed the service.

Dazed and confused

 

[ncotton]

yeah....do it man.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[Skittle]

IT...long periods of boredom with brief moments of total nail biting panic!!!

(gulp)

)
(





Dazed and confused

 

[Skittle]

Two more questions before I do it...)

Do you agree that since all the certificates within the Certificate Authority have expired anyway so it shouldn't make any difference if I remove the service.







Dazed and confused

 

[Skittle]

Done it!!


No four horsemen of the apocalypse yet.

Looks Ok. I can change the server to AD now.
(Phew). Need a lie down now.

Thanks for your help.



Dazed and confused

 

[ncotton]

No it wouldn't make any difference, only if you had other dependent (non-expired) certificates that were running, but not causing problems.

and

that was only one question.
Hehehehe

Glad it works now

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant