Relocating Windows 2000 Certificate Services

This is a three-part question really.  First of all, we have a Certificate Authority running on our Windows 2000 network, only no one remembers what it was installed as, stand-alone or enterprise.  Is there a way to check which method was used during install?  Nothing in the registry suggests how it was installed.

Second, the original intention of this Certificate Authority was to issue a Certificate to achieve SSL login on an IIS 5.0 Web Server.  Since its implementation, all of the domain controllers began requesting certificates from the CA.  (The CA was not installed on a Domain Controller but on a stand-alone Windows 2000.  The setting for publishing certificates in the Active Directory is turned on.)  So now we want to decommission this server that has the CA on it.  We are not concerned about the Web Server certificate going bad because we plan to install a new CA on a different server and we can reissue the certificate once that is done.  What we are concerned about is the fact that all the DCs have certificates that were created based on the "DC Template."  If we uninstall this CA, will it affect the DCs?  Is there a way we can remove these certificates before we uninstall the CA?

Last, we just ran the windows 2003 adprep /forestprep and /domainprep on our Active Directory and brought our first Windows 2003 DC online and transferred all FSMO roles to it.  This DC received an error message that it could not obtain a certificate because the CA could not be found which was expected because the CA server was turned off.  Once we turned it back on the Windows 2003 DC got an error Event ID:13 Source: AutoEnrollment "Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070008).  Not enough storage is available to process this command."  Is this a compatibility issue with the 2000 CA?  Do we have to install the new CA on a Windows 2003 machine?  Or better yet, how do we stop the DCs from requesting DC Certificates once we install a new CA?

Thank you,
John Biggs
Network Engineer
Trammell Crow Residential
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

ccallisonConnect With a Mentor Commented:
Your question has some inconsistent facts.  You mentioned that the CA was installed on a standalone Windows 2000.  This precludes the possiblity of it being any type of enterprise CA.  But you mentioned that your DCs are getting autoenrolled certs from it, so my guess is that you meant a member server.  The fact the DCs are (or were) receiving Domain Controller certs from it means that it was an enterprise CA.  I would guess that it was not a sub-ordinate CA, because you would know if you had an external cert installed from somewhere like Verisign, right?

The best tool to look for these is the Certificates MMC, which is not installed by default, even with the full Admin tools install.  You will need to open a blank MMC and then add the correct snap-in.  You want to look at computer certs when asked what to select.

You will need to uninstall the CA properly, which should remove the settings from AD.  You should also remove the root CA cert and the Domain Controller certs from each DC and doublecheck all group policies which affect your DCs.  Look at "Computer Configuration|Windows Settings|Security Settings|Public Key Policies|Automatic Certificate Requests" and remove anything you find.

You should also check in the Sites and Services and delete anything left over that refers to your old CA server, but only after you uninstall the CA. Check the AIA, CDP, Certificate Authorities and Enrollment Services containers.  Don't touch any of the templates.

For the future, if you only want a cert for a IIS server, consider buying an external cert, even if the server is only going to be visible inside your network.  Or, set up the next one as a non-enterprise.  That way it won't autoenroll anything - it can't!

Happy Hunting!
jbiggsAuthor Commented:
Thank you for the reply ccallison.

You are right, I called it stand-alone when I should have called it a member-server.  The machine the CA was installed on is a domain member-server that is not a DC.

So basically you are saying that if the DCs are requesting certificates from the CA then it was absolutely, positively, without a doubt installed as an Enterprise CA.  So if we install it as a Stand-alone CA then the DCs won't request certificates.  And to answer your last question, why bother paying Verisign for a certificate when you have already paid for Windows Server?  IT departments love throwing money away when doing things themselves is relatively simple.

You also said that the proper procedure for removing the CA is to uninstall it using the add/remove programs wizard.  Then to go to each DC and remove the certificate(s) as well as remove any Public Key Policies from any group policies in the domain that affect the DCs and to finally remove any certificate entries in the Sites and Services MMC.

I will give it a go and let you know if it works.  I love how Microsoft tells you that you cannot remove an Enterprise CA from a domain once it has been installed.  Someone always knows it can be done and how to do it.

John Biggs
Network Engineer
Trammell Crow Residential
You can always remove a CA from any machine in any role.  You just need to do it in the correct order.  It can't be renamed or demoted until the CA is uninstalled.
All Courses

From novice to tech pro — start learning today.