Certificate Authority on Active Directory 2003 PDC

I have discovered that we have a CA running on our GC server. Does anyone know if there are any default certificate dependencies ionvolved in a 2003 native forest? I can see that we're also doing IAS for wireless and VPN autentication and so the certs may be for a combination of that and other IIS certs but..... I'm afraid to move it to a new server. SOme of the certs appear to be issued to other AD integrated DC's. I can't remember if AD uses certs for anything or if it was all added after the fact. Second question: does a CA and or IAS need to run on a DC for any reason? Thanks to all!!!
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
The move guide is good if you are keeping the name of the box the same..  Instead you might want to decommission the CA and put up a new one on another box.
How to decom a CA server properly from AD:

Alternatively, a less risky method would be to stop certificate services on the DC and then set up a new one in parallel without decommisioning it until the DC's CA certificate has expired.  Use Certification Authorities MMC before shutting down the CA services on the DC to delete all the templates listed on that CA (it will keep the templates in AD when you delete in the CA MMC) and then just assign them to the new CA andthat will take over the new autoenrollment events as they come up over time.

A CA should not be installed on a DC.  It is bad practice and will get in the way during things like running dcpromo.  For most companies, a 2 tier CA running in virtual machines is advised.  A standalone root on standard edition 03 or 08 that is kept offline so dont join to domain - store this image on a removable hard drive to keep it extra secure.  The second tier would be an online issuing CA, in most cases enterprise subordinate CA on enterprise edition OS joined to the domain.

The DC's are probably getting 3 certs each which is normal when an enterprise CA is installed - Domain Controller cert, Domain Controller Authentication cert, and Directory Email Replication cert.  Although all 3 may or may not be necessary, in virtually all cases it does no real harm to keep all three going - don't bother wasting the time.  The only thing of potential concern (especially if you have a CA you didn't know about) is to check to see what boxes those certs are being issued to so you know there aren't any unauthroized DCs floating around too!
LauraEHunterMVPConnect With a Mentor Commented:
If you remove the CA role from this server, one assumes that you will be installing the role on a different and differently-named server. If this is the case, all certificates will need to be re-issued from the new CA.

I'm unclear as to why you wish to remove this CA when you are uncertain whether, or for what, it is being used.
marksheeksAuthor Commented:
Thanks Laura. We are repsonding to a forced migration of all servers from one subnet to another. Therefore all servers (includign DC's, Radius, email, etc) are changing IP addresses. In this process, some are being virtualized into ESX using the VMware converter while others are being replaced by new Guest Operating systems and then having all of their roles rebuilt or transferred over. Yes part of my requirements are definitely to find out where/why all of these certs are being issued. One perplexing thing is that the CA is issueing certs to other DC's on a regular basis. I'm not sure why or quite how to pursue it in the time I have. I guess I'm searching for tribal knowledge to shortcut the process but also I'm trying to figure out what dependencies exist natively between AD and a lcoal CA. I thought I remembered runnign a new forest with no local CA at all. Doe sthis wash? I appreciate your time.
AmericomConnect With a Mentor Commented:
Your CA can be used for issuing certificate to web-based application, Web sites, PCs, wireless etc. You IAS is more probably for wireless authentication as well as or wired-auto port authentication etc.
Both CA and IAS can be on member server. If the IAS can CA on your DC that is currently with Enterprise edition, you should move/create your IAS and CA on a member server with Enerpirse edition as there are limitation when it is on a member server with Standard edition.
If you are not too sure how is your CA being used, you may want to move to another server instead of create a new one on a different server. It just that if you want to move, you need to keep the same servername. Here's a link how to move your CA to a different server for all version of OS: http://support.microsoft.com/kb/298138

If you are familiar with CA and how it's being used and how to configure other applications that rely on the CA, you may want to leave the existing one and create a new one, particularly if you want to have a different servername in the end. Worst scenario, monitor the CA for a bit and disable it, and see what happen. You may have complains about computer cannot authenticate to wireless network. If you take down IAS, you may get complains that user or computer cannot authenticated to the wireless or wired port authenticated networks. But of course, you can also study your DC's event log, you may see a lot of events constantly recorded related to these services. Particularly for IAS during peak hour.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.