Solved

Lost AD CS CA server - now what?

Posted on 2013-12-04
4
716 Views
Last Modified: 2013-12-04
Hi all,

A few weeks ago, I lost a domain controller in my network.  Of course, it was a hard fail and I had no good backups.  I thought I had finally recovered when I found that it must have been a CA, as there are certificates that had been issued by it on my domain controllers.  I found this article and was working through it - http://support.microsoft.com/kb/889250.  At one point it says to run "certutil - TCAinfo" and that is reporting the CA as a server that has been gone for nearly two years!  I need to get a CA back up as I am trying to install Lync 2013, but I am a little stuck.  What are the implications of installing a new CA now?  I tried to export a certificate following instructions in another TechNet article, but it says the PK is marked as not exportable, so it will not let me create a .pfx file.  Also, I saw that I should not install the CA on a Domain Controller, is that correct?  All servers are 2008R2.  Any thoughts or suggestions are greatly appreciated!

-Don
0
Comment
Question by:dongcamp100
  • 2
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39695675
You can install CA on domain controller
Only thing you cannot demote the DC in case if required unless you remove CA server role
Also you should not rename the CA server name, I mean if you install CA server on DC, and some point of time if you want to rename DC, its creates lot of problem \ complications.
Because all certificates that issued by CA server has also hardcode CA server name in certificates with Certificate revocation list (CRL) and Authority Information Access (AIA)
For this matters, its good if you install it separately

What you can do, install brand new AD integrated CA server as u can have multiple CA servers \ Authorities in a given domain.

Once you install that, it will take care of DC certificates as well
Also you may publish its root cert to all clients through GPO

Mahesh
0
 

Author Comment

by:dongcamp100
ID: 39695692
OK.  Just to clarify.  When I install the new CA, do I make it a root CA and/or Enterprise CA?  Keep in mind that I now don't actually have any CA at all in my domain, although the settings are still in AD from the servers that are now gone.  Do I need to do some sort of cleanup on those old settings?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39695743
You already have cleaned up old settings with help of MS article in question itself

Now choice is yours.

AD integrated enterprise root CA needs to be keep online always and most simpler in deployment.

If you deploy Standalone Root CA, then you must deploy Subordinate enterprise root CA to work with Active directory as it contains templates.
Also its security best practise to keep Standalone root CA offline and bring him online when ever only required, may be at the time of certificate renewal of sub ordinate CA
But this will increase overheads maintenance

personally I prefer Enterprise root CA to avoid complications above.

If you have very big setup and very strict company security polices, then you can go with offline Standalone root CA approach otherwise single AD integrated enterprise root CA is sufficient

Mahesh
0
 

Author Closing Comment

by:dongcamp100
ID: 39695755
Thank you!  I was hoping it would be this easy... :)  It has been a rough couple of weeks!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now