Certificate authority and my inherited mess
I inherited a real nightmare at a new customers office. Here is the nightmare.
Windows SBS 2003. Runs great now (had a few problems, they were solved by you guys, thanks). Windows Server 2003. Was running as a member server and then for some dumbass reason they guy made it a domain controller. Uggh. Unfortunately when I tried to demote it, it was running the certificate services and the demotion would not go through.
I looked at the certificate services and it only has 2 active certificates and they both point to the SBS 2003 server. It appears that the only thing they are running or being used for is for self signed certificates that run the Remote services. They dont appear to be using OWA at all and not even using RPC over HTTP.
What is the best way to demote the server to make it a member server again?
Thanks!!
Windows SBS 2003. Runs great now (had a few problems, they were solved by you guys, thanks). Windows Server 2003. Was running as a member server and then for some dumbass reason they guy made it a domain controller. Uggh. Unfortunately when I tried to demote it, it was running the certificate services and the demotion would not go through.
I looked at the certificate services and it only has 2 active certificates and they both point to the SBS 2003 server. It appears that the only thing they are running or being used for is for self signed certificates that run the Remote services. They dont appear to be using OWA at all and not even using RPC over HTTP.
What is the best way to demote the server to make it a member server again?
Thanks!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need FIRST desactive SSL services that use self signed certificates in your SBS ( only 2 services run )
Certificate Server is a CA then you need revoke all active certificates that are issued for CA :
1. Click Start -> Administrative Tools ->Certification Authority
2. Expand your CA, and click Issued Certificates folder
3. In right pane, click one of issued certificates, and press CTRL+A select all issued certificates
4. Right-click selected certificates, click All Tasks, and click Revoke Certificate.
5. In Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click OK.
Now increase the CRL publication interval
1. In Certifications Authority Microsoft Management Console snap in, right click the Revoked Certificates folder, and then click Properties
2. In the CRL Publication Interval box, type a suitably long value, and then click OK
After you need publish a new CRL
1. In the Certification Authority MMC snap-in, right-click the Revoked Certificates folder.
2. Click All Tasks, and then click Publish.
3. In the Publish CRL dialog box, click New CRL, and then click OK.
Is necesary Deny any pending requests
By default, an enterprise CA does not store certificate requests.
However, an administrator can change this default behavior.
You need to know this state and deny any pending certificate requests, follow these steps:
1. In the Certification Authority MMC snap in, click the Pending Requests folder.
2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.
3. Right-click the selected requests, click All Tasks, and then click Deny Request.
Uninstall Certificate Services from the server
1. To stop Certificate Services, click Start, click Run, type cmd, and the click OK.
2. At the command prompt, type certutil -shutdown , and then press ENTER.
3. To list all key stores for the local computer, type certutil -key at the command prompt.
This command display the names of all installed cryptographic service providers (CSP) and the key stores that are associated with each provider.
Microsoft Enhanced Cryptographic Provider v1.0:
1a3b2f44-2540-408b-8867-51
MS IIS DCOM ClientSYSTEMS-1-5-18
MS IIS DCOM Server
Windows2000 Enterprise Root CA
MS IIS DCOM ClientAdministratorS-1-5-2
Certificate Server is a CA then you need revoke all active certificates that are issued for CA :
1. Click Start -> Administrative Tools ->Certification Authority
2. Expand your CA, and click Issued Certificates folder
3. In right pane, click one of issued certificates, and press CTRL+A select all issued certificates
4. Right-click selected certificates, click All Tasks, and click Revoke Certificate.
5. In Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click OK.
Now increase the CRL publication interval
1. In Certifications Authority Microsoft Management Console snap in, right click the Revoked Certificates folder, and then click Properties
2. In the CRL Publication Interval box, type a suitably long value, and then click OK
After you need publish a new CRL
1. In the Certification Authority MMC snap-in, right-click the Revoked Certificates folder.
2. Click All Tasks, and then click Publish.
3. In the Publish CRL dialog box, click New CRL, and then click OK.
Is necesary Deny any pending requests
By default, an enterprise CA does not store certificate requests.
However, an administrator can change this default behavior.
You need to know this state and deny any pending certificate requests, follow these steps:
1. In the Certification Authority MMC snap in, click the Pending Requests folder.
2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.
3. Right-click the selected requests, click All Tasks, and then click Deny Request.
Uninstall Certificate Services from the server
1. To stop Certificate Services, click Start, click Run, type cmd, and the click OK.
2. At the command prompt, type certutil -shutdown , and then press ENTER.
3. To list all key stores for the local computer, type certutil -key at the command prompt.
This command display the names of all installed cryptographic service providers (CSP) and the key stores that are associated with each provider.
Microsoft Enhanced Cryptographic Provider v1.0:
1a3b2f44-2540-408b-8867-51
MS IIS DCOM ClientSYSTEMS-1-5-18
MS IIS DCOM Server
Windows2000 Enterprise Root CA
MS IIS DCOM ClientAdministratorS-1-5-2
Part II
In the last example you need to see only when is CA for example in the last paragraph you see :
Windows2000Enterprise Root CA
4.-Delete the private key that is associated with the CA.
Type the following at a command prompt:
certutil -delkey "Windows2000 Enterprise Root CA"
5.- List key stores again that you need verify the private key for CA has been deleted.
6.- After you delete the private key for your CA, uninstall Certificate Services.
To do this, follow these steps:
a. Close the Certification Authority MMC snap-in if it is still open.
b. Click Start, point to Control Panel, and then click Add /Remove Programs.
c. Click Add/Remove Windows Components.
d. In the Components box, click to clear the Certificate Services check box, click Next, and then follow the instructions in the Windows Components Wizard to complete the removal of Certificate Services.
NOW you need remove CA objects from Active Directory
When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.
These objects are the following:
* certificateAuthority object
o Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Co
o Contains the CA certificate for the CA.
o Published Authority Information Access (AIA) location.
* crlDistributionPoint object
o Located in CN=ServerName,CN=CDP,CN=Pu
o Contains the CRL periodically published by the CA.
o Published CRL Distribution Point (CDP) location
* certificationAuthority object
o Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
o Contains the CA certificate for the CA.
* pKIEnrollmentService object
o Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Co
o Created by the enterprise CA.
o Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.
Remove all Certification Services objects from Active Directory
Delete certificates published to the NtAuthCertificates object
To remove the CA database, delete the %systemroot%\System32\Cert
Clean up domain controllers
Windows Server 2003 Resource Kit tools also includes the Pkiview.msc utility to help you remove CA objects from the domain.
AFTER ALL THIS maybe you DEMOTE Domain Controller of this your SBS
In the last example you need to see only when is CA for example in the last paragraph you see :
Windows2000Enterprise Root CA
4.-Delete the private key that is associated with the CA.
Type the following at a command prompt:
certutil -delkey "Windows2000 Enterprise Root CA"
5.- List key stores again that you need verify the private key for CA has been deleted.
6.- After you delete the private key for your CA, uninstall Certificate Services.
To do this, follow these steps:
a. Close the Certification Authority MMC snap-in if it is still open.
b. Click Start, point to Control Panel, and then click Add /Remove Programs.
c. Click Add/Remove Windows Components.
d. In the Components box, click to clear the Certificate Services check box, click Next, and then follow the instructions in the Windows Components Wizard to complete the removal of Certificate Services.
NOW you need remove CA objects from Active Directory
When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.
These objects are the following:
* certificateAuthority object
o Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Co
o Contains the CA certificate for the CA.
o Published Authority Information Access (AIA) location.
* crlDistributionPoint object
o Located in CN=ServerName,CN=CDP,CN=Pu
o Contains the CRL periodically published by the CA.
o Published CRL Distribution Point (CDP) location
* certificationAuthority object
o Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
o Contains the CA certificate for the CA.
* pKIEnrollmentService object
o Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Co
o Created by the enterprise CA.
o Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.
Remove all Certification Services objects from Active Directory
Delete certificates published to the NtAuthCertificates object
To remove the CA database, delete the %systemroot%\System32\Cert
Clean up domain controllers
Windows Server 2003 Resource Kit tools also includes the Pkiview.msc utility to help you remove CA objects from the domain.
AFTER ALL THIS maybe you DEMOTE Domain Controller of this your SBS
ASKER
Thanks for the comment Jzel. :-)
ASKER
Shreedhar solution was perfect. Jzel put on this page the exact step by step solution that Shreedhar used (word for word).
Thank you both for quick responses to an interesting problem :-)
Thank you both for quick responses to an interesting problem :-)
ASKER