Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Removing a tombstoned Certificate Authority server

Posted on 2011-05-02
15
Medium Priority
?
967 Views
Last Modified: 2012-05-11
Hi,

Hope someone can advise on this.  I am administering a domain which has two Windows 2003 R2 servers, both of which are domain controllers.  Server1 hosts all the FSMO roles and was installed about six months ago to replace another server (we'll call Server0).

When this migration was done, everything was completed by the book and successfully but a couple of things were missed.  Server0 was not demoted using DCPROMO to stop it being a domain controller and we have recently discovered that it was acting as a Certificate Authority - nothing has been done about moving this.  The tombstone period has expired so it can never go back on the network and we do want to format it for backup use.

Server0 has now been manually removed from the domain but the CA issue still remains.  Server2 logs regular KDC errors in the event log (2 or 3 a day) regarding the missing CA:

************************************************************************************
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.
************************************************************************************

We believe the CA was set up to provide signed certificates for an old piece of specialist software which they no longer use, we don't know of anything that currently requires it.

I have read through http://support.microsoft.com/default.aspx?scid=kb;en-us;555151 about removing the CA manually but I know very little about CAs as have never had the need to do much with them.

Therefore I have some questions:

1. I am assuming that, as it's been gone for 6 months, it won't be missed but is the above KB the safest way of removing traces of it from the domain?

2. Is there any reason to have a CA on the domain for any other purpose?  I haven't been able to find any particularly good reference articles to explain their use.

Hope someone can help with this or provide some useful advice.

Thanks,

Phil
0
Comment
Question by:comphil
  • 9
  • 5
15 Comments
 
LVL 24

Expert Comment

by:Awinish
ID: 35503852
0
 
LVL 3

Author Comment

by:comphil
ID: 35505730
Thanks for that, it pointed to a useful KB article (http://support.microsoft.com/kb/889250) but does not address my concern over whether I am doing the right thing.

Is it safe for me to remove it on the basis nothing has apparently needed it for the last six months?
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 1500 total points
ID: 35505920
Since it logs that the certificate is invalid, you could assume it has expired. You could verify that by looking in the Personal store on a DC.

If it's expired you can clean the CA out like they describe in those KBs you found and remove the certificate from the DCs.

Is there any reason to have a CA on the domain for any other purpose?

- You have internal web sites you want SSL enabled
- You want kerberos to encrypt communication between the client and the KDC
- You want to encrypt LDAP traffic
- You want smartcard authentication

etc...
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 3

Author Comment

by:comphil
ID: 35505987
Thanks for that, I had assumed it would only be needed for reasons such as those you've listed but wanted to make sure.

By Personal Store I assume you mean checking the Certificates tab under Internet Options in Control Panel?  Given the amount of time the CA's been offline, it must be expired but I will check.

I'll have a go at clearing the certificates this week if I can get a chance and will see how it goes.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35506351
By Personal Store I assume you mean checking the Certificates tab under Internet Options in Control Panel?

Start - Run - MMC - (File) Add snap-in - pick "certificate" - Choose "Computer account".

There you'll find the Personal store, along with the intermediate and root store if you used those (multiple tiers)
0
 
LVL 3

Author Comment

by:comphil
ID: 35506755
Thank you, I'll take a look.
0
 
LVL 3

Author Comment

by:comphil
ID: 35507926
Hi,

Just checked the server and it is showing a certificate from 'server.domain.com' - however, we've never had a server called 'server' on this domain.  I can only assume this was issued by the defunct server.

It also doesn't expire until 4/5/2011 so should I leave it until then?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35508032
Normally you would have revoked the issued certificates from the CA. You don't have the CA to do this, so if you remove the certificate manually you'' save you some work at 4/5.

You should do this on all DCs, as they will start complaining when the cert expires.

If the DCs are listening on TCP 636, they are most likely using this certificate.

cmd -> netstat -an | find "636"
0
 
LVL 3

Author Comment

by:comphil
ID: 35508110
Hmm OK have checked and both server1 and server2 are listening on port 636.  Server1 does not have any SSL certificates listed except for 3x GoDaddy ones that are OK.  Server2 has the one (apparently from Server0) listed only which still has 3 days to go.

Thanks for taking the time to help with this, it's much appreciated.
0
 
LVL 3

Author Comment

by:comphil
ID: 35707301
Hi, just wondered if you had any ideas where to go from here?  Not sure what to do now that it seems server2 is listening on that port, does that mean I shouldn't remove the certificate?

I've attached a screen shot of the certificate's information if it helps.

Thanks. Certificate Information
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35707723
If a DC have a certificate installed it will start listening on TCP 636. If this certificate is expired or invalid, it will fail to encrypt LDAP traffic and fall back to TCP 389.
0
 
LVL 3

Author Comment

by:comphil
ID: 35707747
OK, just checked and it is still listening on port 636.

Do you think it's safe to go ahead with the removal of the certificate?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35707963
The certificate is expired so it will not do anything. Are you able to export it (with its private key just as a backup)?
0
 
LVL 3

Author Comment

by:comphil
ID: 35722368
The server's now been decomissioned - the CA was removed and dcpromo /forceremove was run to relieve it of its Domain Controller status.  I manually deleted all the certificates listed in Sites & Services according to the MS KB article I referenced and also deleted it from Server2's personal store.  All seems fine, there's been no problems so far and the errors in the event log have stopped.

Thank you for your help, much appreciated as always.
0
 
LVL 3

Author Closing Comment

by:comphil
ID: 35722376
Got most of the information I wanted out of this.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question