Solved

Lost AD CS CA server - now what?

Posted on 2013-12-04
4
791 Views
Last Modified: 2013-12-04
Hi all,

A few weeks ago, I lost a domain controller in my network.  Of course, it was a hard fail and I had no good backups.  I thought I had finally recovered when I found that it must have been a CA, as there are certificates that had been issued by it on my domain controllers.  I found this article and was working through it - http://support.microsoft.com/kb/889250.  At one point it says to run "certutil - TCAinfo" and that is reporting the CA as a server that has been gone for nearly two years!  I need to get a CA back up as I am trying to install Lync 2013, but I am a little stuck.  What are the implications of installing a new CA now?  I tried to export a certificate following instructions in another TechNet article, but it says the PK is marked as not exportable, so it will not let me create a .pfx file.  Also, I saw that I should not install the CA on a Domain Controller, is that correct?  All servers are 2008R2.  Any thoughts or suggestions are greatly appreciated!

-Don
0
Comment
Question by:dongcamp100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39695675
You can install CA on domain controller
Only thing you cannot demote the DC in case if required unless you remove CA server role
Also you should not rename the CA server name, I mean if you install CA server on DC, and some point of time if you want to rename DC, its creates lot of problem \ complications.
Because all certificates that issued by CA server has also hardcode CA server name in certificates with Certificate revocation list (CRL) and Authority Information Access (AIA)
For this matters, its good if you install it separately

What you can do, install brand new AD integrated CA server as u can have multiple CA servers \ Authorities in a given domain.

Once you install that, it will take care of DC certificates as well
Also you may publish its root cert to all clients through GPO

Mahesh
0
 

Author Comment

by:dongcamp100
ID: 39695692
OK.  Just to clarify.  When I install the new CA, do I make it a root CA and/or Enterprise CA?  Keep in mind that I now don't actually have any CA at all in my domain, although the settings are still in AD from the servers that are now gone.  Do I need to do some sort of cleanup on those old settings?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39695743
You already have cleaned up old settings with help of MS article in question itself

Now choice is yours.

AD integrated enterprise root CA needs to be keep online always and most simpler in deployment.

If you deploy Standalone Root CA, then you must deploy Subordinate enterprise root CA to work with Active directory as it contains templates.
Also its security best practise to keep Standalone root CA offline and bring him online when ever only required, may be at the time of certificate renewal of sub ordinate CA
But this will increase overheads maintenance

personally I prefer Enterprise root CA to avoid complications above.

If you have very big setup and very strict company security polices, then you can go with offline Standalone root CA approach otherwise single AD integrated enterprise root CA is sufficient

Mahesh
0
 

Author Closing Comment

by:dongcamp100
ID: 39695755
Thank you!  I was hoping it would be this easy... :)  It has been a rough couple of weeks!
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question