Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Long dead certificate authority. How get re-pointed to new stable CA?

Posted on 2010-08-27
3
Medium Priority
?
1,569 Views
Last Modified: 2012-06-21
Hello,

I inherited a bit of mess.

My situation is this:
1200 users, 2003 domain running in 2000 mixed mode, multiple sites.
6 domain controllers (4 running Server 2000, 2 running Server 2003 SP2)

2000 DC's reporting this in the event log for months:
The automatic certificate enrollment subsystem could not access local resources needed for enrollment.   Enrollment will not be performed. (0x80070005) Access is denied.

2003 DC's reporting this in the event log for months:

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

certutil -dump shows me this:
C:\>certutil -dump
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                         `CA'
  Organizational Unit:          `'
  Organization:                 `'
  Locality:                     `'
  State:                        `'
  Country/region:               `'
  Config:                       `ngbrasus.mydomain.com\CA'
  Exchange Certificate:         `'
  Signature Certificate:        `'
  Description:                  `'
  Server:                       `ngbrasus.mydomain.com'
  Authority:                    `CA'
  Sanitized Name:               `CA'
  Short Name:                   `CA'
  Sanitized Short Name:         `CA'
  Flags:                        `1'
CertUtil: -dump command completed successfully.

What I know for sure so far:
I've confirmed that the server, ngbrasus, was removed long ago.
I've confirmed that the group "CERTSVC_DCOM_ACCESS" does NOT exist currently.

I've read the following:
http://support.microsoft.com/kb/889250 
http://support.microsoft.com/kb/927066

Neither seem to exactly match my circumstances so I'm hesitant on just shotgunning a bunch of solutions.

At this point I'm not seeing any visible ill effect of the missing CA. I'm fully ready to install a new CA and re-point things if needed. If I cannot get any quality answers here I may up cross posting this over at Petri.

Thanks!
0
Comment
Question by:BDoellefeld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
aymanq earned 2000 total points
ID: 33548620
To remove the old CA is quite easy, you can use ADSIEdit to remove the SCP from Active Directory, after ward you can install a new enterprise CA and it will be published automatically.

You can remove the SCP using ADSIEDIT from the following:

Configuration --> serivices --> Public key services -->Enrollement services

Look up in that location for CN = "your CA name" , delete that object
You can do cleanup as well for things under AIA and CDP that relates to your CA
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 33569063
Thank you for the reply and the sanity check. I have to go through a change approval process and will reply back on result.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 33718810
Finally got a maint window. Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question