asked on
Problem with Microsoft Root CA
Here is the problem. About couple months ago while troubleshooting an IAS authentication problem, one of the admins here installed a server as a Enterprise Root CA. This was a remote server in a field office, and this should never have been done. I think he saw the error of his ways, and quickly removed Certificate Authority Services from the server.
Fast forward now a couple months, and I need to install an Enterprise CA on a DC here, and begin issuing certificates.
Whenever I use the Certificates MMC snap in to request a certificate, the server that is displayed by the wizard as the CA to request the certificate from is the one that was built in error on a remote server and later removed, and not the correct one that I just installed at the home office.
I have a sinking feeling that the name of the CA is stored somewhere in AD, and cannot be changed (hence all the stuff about not renaming a server once it becomes a CA). So even though Enterprise CA was removed from the server in the field, AD thinks it is still there, and there is no way for me to have those services on a server with a different name.
Am I correct in my assumption?
Is there anything I can do to correct this problem short of restoring AD from a system state prior to the installation at the remote site?
Does my question even make sense?
Fast forward now a couple months, and I need to install an Enterprise CA on a DC here, and begin issuing certificates.
Whenever I use the Certificates MMC snap in to request a certificate, the server that is displayed by the wizard as the CA to request the certificate from is the one that was built in error on a remote server and later removed, and not the correct one that I just installed at the home office.
I have a sinking feeling that the name of the CA is stored somewhere in AD, and cannot be changed (hence all the stuff about not renaming a server once it becomes a CA). So even though Enterprise CA was removed from the server in the field, AD thinks it is still there, and there is no way for me to have those services on a server with a different name.
Am I correct in my assumption?
Is there anything I can do to correct this problem short of restoring AD from a system state prior to the installation at the remote site?
Does my question even make sense?
Windows Server 2003
Last Comment
Paranormastic