Why can't you promote a server to a domain controller if certificate services are installed?

I get this error in Windows server 2012 when trying to promote the server to domain controller:

Verification of prerequisites for Domain Controller promotion failed. Certificate Server is installed.


Solution 1:

When you have a Certificate of Authority role it uses a "key" from an existing domain controller and you need to select several configuration decisions in the planning for the CA itself, and in the case you promote it to DC it would get an independent key for that domain controller so all the "key" that was previously configured on server will change and that's not allowed for a CA. So basically this is not allowed when you have the CA role installed on the server for consistence.

If you want to promote to the member server you would need to uninstall the Certificate of authority role completely prior to elevating the server to domain controller.

The main point is that you're doing that in the wrong order, you 1st elevate the server to domain controller and then install the CA services, and in the configuration, it will ask if you want to create a farm of CA or if it's the 1st server (called root for CA).

In conclusion, you won't be able to promote the server to DC until you remove the CA services. if you do so, all the certificates that were signed by this CA would need a rekey and reinstall the certificates on servers, if necessary.