Paul_Olson
asked on
How to clean up missing CA from AD
Hello-
I have been managing a small network for about a year. 10 servers, 2 Win 2008R2 DCs, 1 Win 2003 DC, Exchange 2007. The AD is in '2003' mode, i was planning to decom the last 2003 DC next week and move the AD to '2008R2' mode. As i was looking over the eventlogs to clean up outstanding issues before the move, I have found an issue with my (inherited) CA infrastructure.
I transitioned my infrastructure from Exchange 2003 to Exchange 2007 a few months ago, and I properly removed the Exchange 2003 infrastructure from the AD. I then reformatted and redeployed the server to a new role. I did not realize that the prior admin or some other contractor had installed a CA on that server. That CA is now gone, and no backups exist to restore.
I am seeing a few KDC eventID 20 errors ('he currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. ') in the eventlog of the server I am going to dcpromo to a member server, and similar errors on my two 2008R2 DCs. I see in the local cert store DC certificates issued by that missing CA. The certificates expire in Nov 2010, so I have some time to deal with this, but am not sure how to proceed.
My original plan was to bring up a proper 2-tier CA infrastructure with an offline root CA, but am not quite ready for that... unless I have to do that work to clean up this situation.
Where can I find the steps to clean this up (remove the lost CA)? I can see the steps to decommission an existing CA, but I cannot recover my old one to properly decommission it. I want to get it into a state where I can bring up a new CA for future use.
I find references to 'certutil -dcinfo deleteBad' to remove old certificates from the servers, but if I do that without a replacement CA infrastructure in place will I cause a big problem from which I cannot recover?
Thanks for any assistance----!
I have been managing a small network for about a year. 10 servers, 2 Win 2008R2 DCs, 1 Win 2003 DC, Exchange 2007. The AD is in '2003' mode, i was planning to decom the last 2003 DC next week and move the AD to '2008R2' mode. As i was looking over the eventlogs to clean up outstanding issues before the move, I have found an issue with my (inherited) CA infrastructure.
I transitioned my infrastructure from Exchange 2003 to Exchange 2007 a few months ago, and I properly removed the Exchange 2003 infrastructure from the AD. I then reformatted and redeployed the server to a new role. I did not realize that the prior admin or some other contractor had installed a CA on that server. That CA is now gone, and no backups exist to restore.
I am seeing a few KDC eventID 20 errors ('he currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. ') in the eventlog of the server I am going to dcpromo to a member server, and similar errors on my two 2008R2 DCs. I see in the local cert store DC certificates issued by that missing CA. The certificates expire in Nov 2010, so I have some time to deal with this, but am not sure how to proceed.
My original plan was to bring up a proper 2-tier CA infrastructure with an offline root CA, but am not quite ready for that... unless I have to do that work to clean up this situation.
Where can I find the steps to clean this up (remove the lost CA)? I can see the steps to decommission an existing CA, but I cannot recover my old one to properly decommission it. I want to get it into a state where I can bring up a new CA for future use.
I find references to 'certutil -dcinfo deleteBad' to remove old certificates from the servers, but if I do that without a replacement CA infrastructure in place will I cause a big problem from which I cannot recover?
Thanks for any assistance----!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.