Lost AD CS CA server - now what?

Hi all,

A few weeks ago, I lost a domain controller in my network.  Of course, it was a hard fail and I had no good backups.  I thought I had finally recovered when I found that it must have been a CA, as there are certificates that had been issued by it on my domain controllers.  I found this article and was working through it - http://support.microsoft.com/kb/889250.  At one point it says to run "certutil - TCAinfo" and that is reporting the CA as a server that has been gone for nearly two years!  I need to get a CA back up as I am trying to install Lync 2013, but I am a little stuck.  What are the implications of installing a new CA now?  I tried to export a certificate following instructions in another TechNet article, but it says the PK is marked as not exportable, so it will not let me create a .pfx file.  Also, I saw that I should not install the CA on a Domain Controller, is that correct?  All servers are 2008R2.  Any thoughts or suggestions are greatly appreciated!

-Don
dongcamp100Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MaheshConnect With a Mentor ArchitectCommented:
You already have cleaned up old settings with help of MS article in question itself

Now choice is yours.

AD integrated enterprise root CA needs to be keep online always and most simpler in deployment.

If you deploy Standalone Root CA, then you must deploy Subordinate enterprise root CA to work with Active directory as it contains templates.
Also its security best practise to keep Standalone root CA offline and bring him online when ever only required, may be at the time of certificate renewal of sub ordinate CA
But this will increase overheads maintenance

personally I prefer Enterprise root CA to avoid complications above.

If you have very big setup and very strict company security polices, then you can go with offline Standalone root CA approach otherwise single AD integrated enterprise root CA is sufficient

Mahesh
0
 
MaheshConnect With a Mentor ArchitectCommented:
You can install CA on domain controller
Only thing you cannot demote the DC in case if required unless you remove CA server role
Also you should not rename the CA server name, I mean if you install CA server on DC, and some point of time if you want to rename DC, its creates lot of problem \ complications.
Because all certificates that issued by CA server has also hardcode CA server name in certificates with Certificate revocation list (CRL) and Authority Information Access (AIA)
For this matters, its good if you install it separately

What you can do, install brand new AD integrated CA server as u can have multiple CA servers \ Authorities in a given domain.

Once you install that, it will take care of DC certificates as well
Also you may publish its root cert to all clients through GPO

Mahesh
0
 
dongcamp100Author Commented:
OK.  Just to clarify.  When I install the new CA, do I make it a root CA and/or Enterprise CA?  Keep in mind that I now don't actually have any CA at all in my domain, although the settings are still in AD from the servers that are now gone.  Do I need to do some sort of cleanup on those old settings?
0
 
dongcamp100Author Commented:
Thank you!  I was hoping it would be this easy... :)  It has been a rough couple of weeks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.