Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Lost AD CS CA server - now what?

Posted on 2013-12-04
4
Medium Priority
?
882 Views
Last Modified: 2013-12-04
Hi all,

A few weeks ago, I lost a domain controller in my network.  Of course, it was a hard fail and I had no good backups.  I thought I had finally recovered when I found that it must have been a CA, as there are certificates that had been issued by it on my domain controllers.  I found this article and was working through it - http://support.microsoft.com/kb/889250.  At one point it says to run "certutil - TCAinfo" and that is reporting the CA as a server that has been gone for nearly two years!  I need to get a CA back up as I am trying to install Lync 2013, but I am a little stuck.  What are the implications of installing a new CA now?  I tried to export a certificate following instructions in another TechNet article, but it says the PK is marked as not exportable, so it will not let me create a .pfx file.  Also, I saw that I should not install the CA on a Domain Controller, is that correct?  All servers are 2008R2.  Any thoughts or suggestions are greatly appreciated!

-Don
0
Comment
Question by:dongcamp100
  • 2
  • 2
4 Comments
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 2000 total points
ID: 39695675
You can install CA on domain controller
Only thing you cannot demote the DC in case if required unless you remove CA server role
Also you should not rename the CA server name, I mean if you install CA server on DC, and some point of time if you want to rename DC, its creates lot of problem \ complications.
Because all certificates that issued by CA server has also hardcode CA server name in certificates with Certificate revocation list (CRL) and Authority Information Access (AIA)
For this matters, its good if you install it separately

What you can do, install brand new AD integrated CA server as u can have multiple CA servers \ Authorities in a given domain.

Once you install that, it will take care of DC certificates as well
Also you may publish its root cert to all clients through GPO

Mahesh
0
 

Author Comment

by:dongcamp100
ID: 39695692
OK.  Just to clarify.  When I install the new CA, do I make it a root CA and/or Enterprise CA?  Keep in mind that I now don't actually have any CA at all in my domain, although the settings are still in AD from the servers that are now gone.  Do I need to do some sort of cleanup on those old settings?
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39695743
You already have cleaned up old settings with help of MS article in question itself

Now choice is yours.

AD integrated enterprise root CA needs to be keep online always and most simpler in deployment.

If you deploy Standalone Root CA, then you must deploy Subordinate enterprise root CA to work with Active directory as it contains templates.
Also its security best practise to keep Standalone root CA offline and bring him online when ever only required, may be at the time of certificate renewal of sub ordinate CA
But this will increase overheads maintenance

personally I prefer Enterprise root CA to avoid complications above.

If you have very big setup and very strict company security polices, then you can go with offline Standalone root CA approach otherwise single AD integrated enterprise root CA is sufficient

Mahesh
0
 

Author Closing Comment

by:dongcamp100
ID: 39695755
Thank you!  I was hoping it would be this easy... :)  It has been a rough couple of weeks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question