Relocating Windows 2000 Certificate Services

Posted on 2004-03-31
Last Modified: 2013-12-04
This is a three-part question really.  First of all, we have a Certificate Authority running on our Windows 2000 network, only no one remembers what it was installed as, stand-alone or enterprise.  Is there a way to check which method was used during install?  Nothing in the registry suggests how it was installed.

Second, the original intention of this Certificate Authority was to issue a Certificate to achieve SSL login on an IIS 5.0 Web Server.  Since its implementation, all of the domain controllers began requesting certificates from the CA.  (The CA was not installed on a Domain Controller but on a stand-alone Windows 2000.  The setting for publishing certificates in the Active Directory is turned on.)  So now we want to decommission this server that has the CA on it.  We are not concerned about the Web Server certificate going bad because we plan to install a new CA on a different server and we can reissue the certificate once that is done.  What we are concerned about is the fact that all the DCs have certificates that were created based on the "DC Template."  If we uninstall this CA, will it affect the DCs?  Is there a way we can remove these certificates before we uninstall the CA?

Last, we just ran the windows 2003 adprep /forestprep and /domainprep on our Active Directory and brought our first Windows 2003 DC online and transferred all FSMO roles to it.  This DC received an error message that it could not obtain a certificate because the CA could not be found which was expected because the CA server was turned off.  Once we turned it back on the Windows 2003 DC got an error Event ID:13 Source: AutoEnrollment "Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070008).  Not enough storage is available to process this command."  Is this a compatibility issue with the 2000 CA?  Do we have to install the new CA on a Windows 2003 machine?  Or better yet, how do we stop the DCs from requesting DC Certificates once we install a new CA?

Thank you,
John Biggs
Network Engineer
Trammell Crow Residential
Question by:jbiggs
  • 2

Accepted Solution

ccallison earned 500 total points
Comment Utility
Your question has some inconsistent facts.  You mentioned that the CA was installed on a standalone Windows 2000.  This precludes the possiblity of it being any type of enterprise CA.  But you mentioned that your DCs are getting autoenrolled certs from it, so my guess is that you meant a member server.  The fact the DCs are (or were) receiving Domain Controller certs from it means that it was an enterprise CA.  I would guess that it was not a sub-ordinate CA, because you would know if you had an external cert installed from somewhere like Verisign, right?

The best tool to look for these is the Certificates MMC, which is not installed by default, even with the full Admin tools install.  You will need to open a blank MMC and then add the correct snap-in.  You want to look at computer certs when asked what to select.

You will need to uninstall the CA properly, which should remove the settings from AD.  You should also remove the root CA cert and the Domain Controller certs from each DC and doublecheck all group policies which affect your DCs.  Look at "Computer Configuration|Windows Settings|Security Settings|Public Key Policies|Automatic Certificate Requests" and remove anything you find.

You should also check in the Sites and Services and delete anything left over that refers to your old CA server, but only after you uninstall the CA. Check the AIA, CDP, Certificate Authorities and Enrollment Services containers.  Don't touch any of the templates.

For the future, if you only want a cert for a IIS server, consider buying an external cert, even if the server is only going to be visible inside your network.  Or, set up the next one as a non-enterprise.  That way it won't autoenroll anything - it can't!

Happy Hunting!

Author Comment

Comment Utility
Thank you for the reply ccallison.

You are right, I called it stand-alone when I should have called it a member-server.  The machine the CA was installed on is a domain member-server that is not a DC.

So basically you are saying that if the DCs are requesting certificates from the CA then it was absolutely, positively, without a doubt installed as an Enterprise CA.  So if we install it as a Stand-alone CA then the DCs won't request certificates.  And to answer your last question, why bother paying Verisign for a certificate when you have already paid for Windows Server?  IT departments love throwing money away when doing things themselves is relatively simple.

You also said that the proper procedure for removing the CA is to uninstall it using the add/remove programs wizard.  Then to go to each DC and remove the certificate(s) as well as remove any Public Key Policies from any group policies in the domain that affect the DCs and to finally remove any certificate entries in the Sites and Services MMC.

I will give it a go and let you know if it works.  I love how Microsoft tells you that you cannot remove an Enterprise CA from a domain once it has been installed.  Someone always knows it can be done and how to do it.

John Biggs
Network Engineer
Trammell Crow Residential

Expert Comment

Comment Utility
You can always remove a CA from any machine in any role.  You just need to do it in the correct order.  It can't be renamed or demoted until the CA is uninstalled.

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now