troubleshooting Question

Relocating Windows 2000 Certificate Services

Avatar of jbiggs
jbiggs asked on
EncryptionOS Security
3 Comments1 Solution1017 ViewsLast Modified:
This is a three-part question really.  First of all, we have a Certificate Authority running on our Windows 2000 network, only no one remembers what it was installed as, stand-alone or enterprise.  Is there a way to check which method was used during install?  Nothing in the registry suggests how it was installed.

Second, the original intention of this Certificate Authority was to issue a Certificate to achieve SSL login on an IIS 5.0 Web Server.  Since its implementation, all of the domain controllers began requesting certificates from the CA.  (The CA was not installed on a Domain Controller but on a stand-alone Windows 2000.  The setting for publishing certificates in the Active Directory is turned on.)  So now we want to decommission this server that has the CA on it.  We are not concerned about the Web Server certificate going bad because we plan to install a new CA on a different server and we can reissue the certificate once that is done.  What we are concerned about is the fact that all the DCs have certificates that were created based on the "DC Template."  If we uninstall this CA, will it affect the DCs?  Is there a way we can remove these certificates before we uninstall the CA?

Last, we just ran the windows 2003 adprep /forestprep and /domainprep on our Active Directory and brought our first Windows 2003 DC online and transferred all FSMO roles to it.  This DC received an error message that it could not obtain a certificate because the CA could not be found which was expected because the CA server was turned off.  Once we turned it back on the Windows 2003 DC got an error Event ID:13 Source: AutoEnrollment "Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070008).  Not enough storage is available to process this command."  Is this a compatibility issue with the 2000 CA?  Do we have to install the new CA on a Windows 2003 machine?  Or better yet, how do we stop the DCs from requesting DC Certificates once we install a new CA?

Thank you,
John Biggs
Network Engineer
Trammell Crow Residential
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros