This is a three-part question really. First of all, we have a Certificate Authority running on our Windows 2000 network, only no one remembers what it was installed as, stand-alone or enterprise. Is there a way to check which method was used during install? Nothing in the registry suggests how it was installed.
Second, the original intention of this Certificate Authority was to issue a Certificate to achieve SSL login on an IIS 5.0 Web Server. Since its implementation, all of the domain controllers began requesting certificates from the CA. (The CA was not installed on a Domain Controller but on a stand-alone Windows 2000. The setting for publishing certificates in the Active Directory is turned on.) So now we want to decommission this server that has the CA on it. We are not concerned about the Web Server certificate going bad because we plan to install a new CA on a different server and we can reissue the certificate once that is done. What we are concerned about is the fact that all the DCs have certificates that were created based on the "DC Template." If we uninstall this CA, will it affect the DCs? Is there a way we can remove these certificates before we uninstall the CA?
Last, we just ran the windows 2003 adprep /forestprep and /domainprep on our Active Directory and brought our first Windows 2003 DC online and transferred all FSMO roles to it. This DC received an error message that it could not obtain a certificate because the CA could not be found which was expected because the CA server was turned off. Once we turned it back on the Windows 2003 DC got an error Event ID:13 Source: AutoEnrollment "Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070008). Not enough storage is available to process this command." Is this a compatibility issue with the 2000 CA? Do we have to install the new CA on a Windows 2003 machine? Or better yet, how do we stop the DCs from requesting DC Certificates once we install a new CA?
Trammell Crow Residential