troubleshooting Question

How to clean up missing CA from AD

Avatar of Paul_Olson
Paul_Olson asked on
Active DirectoryEncryptionOS Security
1 Comment1 Solution563 ViewsLast Modified:
I have been managing a small network for about a year.  10 servers, 2 Win 2008R2 DCs, 1 Win 2003 DC, Exchange 2007.  The AD is in '2003' mode, i was planning to decom the last 2003 DC next week and move the AD to '2008R2' mode.  As i was looking over the eventlogs to clean up outstanding issues before the move, I have found an issue with my (inherited) CA infrastructure.
I transitioned my infrastructure from Exchange 2003 to Exchange 2007 a few months ago, and I properly removed the Exchange 2003 infrastructure from the AD.  I then reformatted and redeployed the server to a new role.  I did not realize that the prior admin or some other contractor had installed a CA on that server.  That CA is now gone, and no backups exist to restore.
I am seeing a few KDC eventID 20 errors ('he currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. ') in the eventlog of the server I am going to dcpromo to a member server, and similar errors on my two 2008R2 DCs.  I see in the local cert store DC certificates issued by that missing CA. The certificates expire in Nov 2010, so I have some time to deal with this, but am not sure how to proceed.  
My original plan was to bring up a proper 2-tier CA infrastructure with an offline root CA, but am not quite ready for that... unless I have to do that work to clean up this situation.
Where can I find the steps to clean this up (remove the lost CA)?  I can see the steps to decommission an existing CA, but I cannot recover my old one to properly decommission it.  I want to get it into a state where I can bring up a new CA for future use.

I find references to 'certutil -dcinfo deleteBad' to remove old certificates from the servers, but if I do that without a replacement CA infrastructure in place will I cause a big problem from which I cannot recover?

Thanks for any assistance----!
Cryptographic Engineer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros