Solved

Domain Controller Certificate Renewal

Posted on 2009-04-11
2
1,131 Views
Last Modified: 2012-05-06
I am replacing the Entreprise CA's in our Forest. New CA's are in place and I am ready to revoke all domain controller certificates and turn off the old CA's. The process includes revoking all existing issued certificates. Microsoft doc is here - http://support.microsoft.com/kb/889250

I then need to remove all the revoked certificates on all the domain controllers and reboot them so they pick up a new certificate from the new CA's. This is easy enough to do via the Certificates MMC on each server, but there are 80 domain controllers and it would take a lot of time. Domain controllers are a mix of 2003 SP2 and 2008.

The KB article mentioned above mentions the dsstore command that can be used to remove certificates, but this command is not recognised on our servers (support tools are installed on the 2003 servers). In any case it looks like user interaction is required with this script and that makes it hard to automate.

Anyone know of a way to script the removal of certificates from the local store? I need a batch or VBscript so I can push it out remotely.



0
Comment
Question by:milott
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24129832
Re-read the article a little more closely.  Dsstore.exe is for win2k DCs only.   For 03/08 DCs you don't need that, just run:

certutil -dcinfo deleteBad

If the certs were revoked or expired that will clean them up.  You can just throw that into a simple batch script.
0
 

Author Comment

by:milott
ID: 24181163
Sorry for the delay - took a week off for Easter.

Thanks I did spot that on a second read and tried it. certutil -dcinfo deleteBad identified the revoked certificates but did not remove them from the remote servers.

I found however that it sorted itself out over several days as the DC's all picked up new certs from the new CA's automatically.

thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question