Can I safely Remove our certificate authority in our Active Directory network?

We currently have a root ca setup on a 2003 std box.  I only used it for one self signed cert.  I noticed that it has given out certs to domain controllers.  If I remove ca from this server will this break anything?  I want to install ca on our 2003 enterprise server to take advantage of windows mobile device manager.  I want it to be the root ca instead of a subordinate that is why I want to remove it from one server.  Also what if I want to phase out one of these ca's, how could I do this without causing issues?

Thanks

LSB-ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
 
How to move a CA to another server:
http://support.microsoft.com/kb/298138

Also, as a side note, you might want to reconsider not having a two tier infrastructure.  You may not need it now, but you might really want it later.  This makes things easier when dealing with multiple domains, migrating CA's, handling extra load, etc.  Keep the root offline - don't even join it to a domain, that way it is domain independent and will not be affected by whatever you do to your domain.  2003 or 2008 standard edition is fine for creating and enterprise root CA, for the issuing subordinate, use 2003 or 2008 enterprise edition.  

Usually setting up the root in a VM environment helps cut the cost down a little bit, and you can configure a private network between the root and subordinate for pushing the CRL over - just create a script to publish the CRL 'certuti -crl' to run every 1/2 the CRL validity period specified in the CA console.  Then just map a drive to the sub CA and copy it over there, then have the sub CA copy that and its own CRL to the CRL distribution points.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.