Link to home
Start Free TrialLog in
Avatar of jbiggs
jbiggs

asked on

Relocating Windows 2000 Certificate Services

This is a three-part question really.  First of all, we have a Certificate Authority running on our Windows 2000 network, only no one remembers what it was installed as, stand-alone or enterprise.  Is there a way to check which method was used during install?  Nothing in the registry suggests how it was installed.

Second, the original intention of this Certificate Authority was to issue a Certificate to achieve SSL login on an IIS 5.0 Web Server.  Since its implementation, all of the domain controllers began requesting certificates from the CA.  (The CA was not installed on a Domain Controller but on a stand-alone Windows 2000.  The setting for publishing certificates in the Active Directory is turned on.)  So now we want to decommission this server that has the CA on it.  We are not concerned about the Web Server certificate going bad because we plan to install a new CA on a different server and we can reissue the certificate once that is done.  What we are concerned about is the fact that all the DCs have certificates that were created based on the "DC Template."  If we uninstall this CA, will it affect the DCs?  Is there a way we can remove these certificates before we uninstall the CA?

Last, we just ran the windows 2003 adprep /forestprep and /domainprep on our Active Directory and brought our first Windows 2003 DC online and transferred all FSMO roles to it.  This DC received an error message that it could not obtain a certificate because the CA could not be found which was expected because the CA server was turned off.  Once we turned it back on the Windows 2003 DC got an error Event ID:13 Source: AutoEnrollment "Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070008).  Not enough storage is available to process this command."  Is this a compatibility issue with the 2000 CA?  Do we have to install the new CA on a Windows 2003 machine?  Or better yet, how do we stop the DCs from requesting DC Certificates once we install a new CA?

Thank you,
John Biggs
Network Engineer
Trammell Crow Residential
ASKER CERTIFIED SOLUTION
Avatar of ccallison
ccallison

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jbiggs
jbiggs

ASKER

Thank you for the reply ccallison.

You are right, I called it stand-alone when I should have called it a member-server.  The machine the CA was installed on is a domain member-server that is not a DC.

So basically you are saying that if the DCs are requesting certificates from the CA then it was absolutely, positively, without a doubt installed as an Enterprise CA.  So if we install it as a Stand-alone CA then the DCs won't request certificates.  And to answer your last question, why bother paying Verisign for a certificate when you have already paid for Windows Server?  IT departments love throwing money away when doing things themselves is relatively simple.

You also said that the proper procedure for removing the CA is to uninstall it using the add/remove programs wizard.  Then to go to each DC and remove the certificate(s) as well as remove any Public Key Policies from any group policies in the domain that affect the DCs and to finally remove any certificate entries in the Sites and Services MMC.

I will give it a go and let you know if it works.  I love how Microsoft tells you that you cannot remove an Enterprise CA from a domain once it has been installed.  Someone always knows it can be done and how to do it.

John Biggs
Network Engineer
Trammell Crow Residential
You can always remove a CA from any machine in any role.  You just need to do it in the correct order.  It can't be renamed or demoted until the CA is uninstalled.