Go Premium for a chance to win a PS4. Enter to Win


Certificate Authority on Active Directory 2003 PDC

Posted on 2009-04-02
Medium Priority
Last Modified: 2012-05-06
I have discovered that we have a CA running on our GC server. Does anyone know if there are any default certificate dependencies ionvolved in a 2003 native forest? I can see that we're also doing IAS for wireless and VPN autentication and so the certs may be for a combination of that and other IIS certs but..... I'm afraid to move it to a new server. SOme of the certs appear to be issued to other AD integrated DC's. I can't remember if AD uses certs for anything or if it was all added after the fact. Second question: does a CA and or IAS need to run on a DC for any reason? Thanks to all!!!
Question by:marksheeks
LVL 30

Assisted Solution

LauraEHunterMVP earned 200 total points
ID: 24055451
If you remove the CA role from this server, one assumes that you will be installing the role on a different and differently-named server. If this is the case, all certificates will need to be re-issued from the new CA.

I'm unclear as to why you wish to remove this CA when you are uncertain whether, or for what, it is being used.

Author Comment

ID: 24055874
Thanks Laura. We are repsonding to a forced migration of all servers from one subnet to another. Therefore all servers (includign DC's, Radius, email, etc) are changing IP addresses. In this process, some are being virtualized into ESX using the VMware converter while others are being replaced by new Guest Operating systems and then having all of their roles rebuilt or transferred over. Yes part of my requirements are definitely to find out where/why all of these certs are being issued. One perplexing thing is that the CA is issueing certs to other DC's on a regular basis. I'm not sure why or quite how to pursue it in the time I have. I guess I'm searching for tribal knowledge to shortcut the process but also I'm trying to figure out what dependencies exist natively between AD and a lcoal CA. I thought I remembered runnign a new forest with no local CA at all. Doe sthis wash? I appreciate your time.
LVL 18

Assisted Solution

Americom earned 600 total points
ID: 24056330
Your CA can be used for issuing certificate to web-based application, Web sites, PCs, wireless etc. You IAS is more probably for wireless authentication as well as or wired-auto port authentication etc.
Both CA and IAS can be on member server. If the IAS can CA on your DC that is currently with Enterprise edition, you should move/create your IAS and CA on a member server with Enerpirse edition as there are limitation when it is on a member server with Standard edition.
If you are not too sure how is your CA being used, you may want to move to another server instead of create a new one on a different server. It just that if you want to move, you need to keep the same servername. Here's a link how to move your CA to a different server for all version of OS: http://support.microsoft.com/kb/298138

If you are familiar with CA and how it's being used and how to configure other applications that rely on the CA, you may want to leave the existing one and create a new one, particularly if you want to have a different servername in the end. Worst scenario, monitor the CA for a bit and disable it, and see what happen. You may have complains about computer cannot authenticate to wireless network. If you take down IAS, you may get complains that user or computer cannot authenticated to the wireless or wired port authenticated networks. But of course, you can also study your DC's event log, you may see a lot of events constantly recorded related to these services. Particularly for IAS during peak hour.
LVL 31

Accepted Solution

Paranormastic earned 1200 total points
ID: 24060512
The move guide is good if you are keeping the name of the box the same..  Instead you might want to decommission the CA and put up a new one on another box.
How to decom a CA server properly from AD:

Alternatively, a less risky method would be to stop certificate services on the DC and then set up a new one in parallel without decommisioning it until the DC's CA certificate has expired.  Use Certification Authorities MMC before shutting down the CA services on the DC to delete all the templates listed on that CA (it will keep the templates in AD when you delete in the CA MMC) and then just assign them to the new CA andthat will take over the new autoenrollment events as they come up over time.

A CA should not be installed on a DC.  It is bad practice and will get in the way during things like running dcpromo.  For most companies, a 2 tier CA running in virtual machines is advised.  A standalone root on standard edition 03 or 08 that is kept offline so dont join to domain - store this image on a removable hard drive to keep it extra secure.  The second tier would be an online issuing CA, in most cases enterprise subordinate CA on enterprise edition OS joined to the domain.

The DC's are probably getting 3 certs each which is normal when an enterprise CA is installed - Domain Controller cert, Domain Controller Authentication cert, and Directory Email Replication cert.  Although all 3 may or may not be necessary, in virtually all cases it does no real harm to keep all three going - don't bother wasting the time.  The only thing of potential concern (especially if you have a CA you didn't know about) is to check to see what boxes those certs are being issued to so you know there aren't any unauthroized DCs floating around too!

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question