Certificate Authority on Active Directory 2003 PDC

Posted on 2009-04-02
Last Modified: 2012-05-06
I have discovered that we have a CA running on our GC server. Does anyone know if there are any default certificate dependencies ionvolved in a 2003 native forest? I can see that we're also doing IAS for wireless and VPN autentication and so the certs may be for a combination of that and other IIS certs but..... I'm afraid to move it to a new server. SOme of the certs appear to be issued to other AD integrated DC's. I can't remember if AD uses certs for anything or if it was all added after the fact. Second question: does a CA and or IAS need to run on a DC for any reason? Thanks to all!!!
Question by:marksheeks
LVL 30

Assisted Solution

LauraEHunterMVP earned 50 total points
ID: 24055451
If you remove the CA role from this server, one assumes that you will be installing the role on a different and differently-named server. If this is the case, all certificates will need to be re-issued from the new CA.

I'm unclear as to why you wish to remove this CA when you are uncertain whether, or for what, it is being used.

Author Comment

ID: 24055874
Thanks Laura. We are repsonding to a forced migration of all servers from one subnet to another. Therefore all servers (includign DC's, Radius, email, etc) are changing IP addresses. In this process, some are being virtualized into ESX using the VMware converter while others are being replaced by new Guest Operating systems and then having all of their roles rebuilt or transferred over. Yes part of my requirements are definitely to find out where/why all of these certs are being issued. One perplexing thing is that the CA is issueing certs to other DC's on a regular basis. I'm not sure why or quite how to pursue it in the time I have. I guess I'm searching for tribal knowledge to shortcut the process but also I'm trying to figure out what dependencies exist natively between AD and a lcoal CA. I thought I remembered runnign a new forest with no local CA at all. Doe sthis wash? I appreciate your time.
LVL 18

Assisted Solution

Americom earned 150 total points
ID: 24056330
Your CA can be used for issuing certificate to web-based application, Web sites, PCs, wireless etc. You IAS is more probably for wireless authentication as well as or wired-auto port authentication etc.
Both CA and IAS can be on member server. If the IAS can CA on your DC that is currently with Enterprise edition, you should move/create your IAS and CA on a member server with Enerpirse edition as there are limitation when it is on a member server with Standard edition.
If you are not too sure how is your CA being used, you may want to move to another server instead of create a new one on a different server. It just that if you want to move, you need to keep the same servername. Here's a link how to move your CA to a different server for all version of OS:

If you are familiar with CA and how it's being used and how to configure other applications that rely on the CA, you may want to leave the existing one and create a new one, particularly if you want to have a different servername in the end. Worst scenario, monitor the CA for a bit and disable it, and see what happen. You may have complains about computer cannot authenticate to wireless network. If you take down IAS, you may get complains that user or computer cannot authenticated to the wireless or wired port authenticated networks. But of course, you can also study your DC's event log, you may see a lot of events constantly recorded related to these services. Particularly for IAS during peak hour.
LVL 31

Accepted Solution

Paranormastic earned 300 total points
ID: 24060512
The move guide is good if you are keeping the name of the box the same..  Instead you might want to decommission the CA and put up a new one on another box.
How to decom a CA server properly from AD:

Alternatively, a less risky method would be to stop certificate services on the DC and then set up a new one in parallel without decommisioning it until the DC's CA certificate has expired.  Use Certification Authorities MMC before shutting down the CA services on the DC to delete all the templates listed on that CA (it will keep the templates in AD when you delete in the CA MMC) and then just assign them to the new CA andthat will take over the new autoenrollment events as they come up over time.

A CA should not be installed on a DC.  It is bad practice and will get in the way during things like running dcpromo.  For most companies, a 2 tier CA running in virtual machines is advised.  A standalone root on standard edition 03 or 08 that is kept offline so dont join to domain - store this image on a removable hard drive to keep it extra secure.  The second tier would be an online issuing CA, in most cases enterprise subordinate CA on enterprise edition OS joined to the domain.

The DC's are probably getting 3 certs each which is normal when an enterprise CA is installed - Domain Controller cert, Domain Controller Authentication cert, and Directory Email Replication cert.  Although all 3 may or may not be necessary, in virtually all cases it does no real harm to keep all three going - don't bother wasting the time.  The only thing of potential concern (especially if you have a CA you didn't know about) is to check to see what boxes those certs are being issued to so you know there aren't any unauthroized DCs floating around too!

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question