Solved

Lost AD CS CA server - now what?

Posted on 2013-12-04
4
823 Views
Last Modified: 2013-12-04
Hi all,

A few weeks ago, I lost a domain controller in my network.  Of course, it was a hard fail and I had no good backups.  I thought I had finally recovered when I found that it must have been a CA, as there are certificates that had been issued by it on my domain controllers.  I found this article and was working through it - http://support.microsoft.com/kb/889250.  At one point it says to run "certutil - TCAinfo" and that is reporting the CA as a server that has been gone for nearly two years!  I need to get a CA back up as I am trying to install Lync 2013, but I am a little stuck.  What are the implications of installing a new CA now?  I tried to export a certificate following instructions in another TechNet article, but it says the PK is marked as not exportable, so it will not let me create a .pfx file.  Also, I saw that I should not install the CA on a Domain Controller, is that correct?  All servers are 2008R2.  Any thoughts or suggestions are greatly appreciated!

-Don
0
Comment
Question by:dongcamp100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39695675
You can install CA on domain controller
Only thing you cannot demote the DC in case if required unless you remove CA server role
Also you should not rename the CA server name, I mean if you install CA server on DC, and some point of time if you want to rename DC, its creates lot of problem \ complications.
Because all certificates that issued by CA server has also hardcode CA server name in certificates with Certificate revocation list (CRL) and Authority Information Access (AIA)
For this matters, its good if you install it separately

What you can do, install brand new AD integrated CA server as u can have multiple CA servers \ Authorities in a given domain.

Once you install that, it will take care of DC certificates as well
Also you may publish its root cert to all clients through GPO

Mahesh
0
 

Author Comment

by:dongcamp100
ID: 39695692
OK.  Just to clarify.  When I install the new CA, do I make it a root CA and/or Enterprise CA?  Keep in mind that I now don't actually have any CA at all in my domain, although the settings are still in AD from the servers that are now gone.  Do I need to do some sort of cleanup on those old settings?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39695743
You already have cleaned up old settings with help of MS article in question itself

Now choice is yours.

AD integrated enterprise root CA needs to be keep online always and most simpler in deployment.

If you deploy Standalone Root CA, then you must deploy Subordinate enterprise root CA to work with Active directory as it contains templates.
Also its security best practise to keep Standalone root CA offline and bring him online when ever only required, may be at the time of certificate renewal of sub ordinate CA
But this will increase overheads maintenance

personally I prefer Enterprise root CA to avoid complications above.

If you have very big setup and very strict company security polices, then you can go with offline Standalone root CA approach otherwise single AD integrated enterprise root CA is sufficient

Mahesh
0
 

Author Closing Comment

by:dongcamp100
ID: 39695755
Thank you!  I was hoping it would be this easy... :)  It has been a rough couple of weeks!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question