Solved

Windows 2003 DC to be decommisioned, still running Certification Authority

Posted on 2014-09-19
4
22 Views
Last Modified: 2016-04-11
I have an old Windows 2003 DC that I need to retire.  The new Win2008 DCs are in place and seem to be handling everything correctly.  But the Win2003 DC is running Certification Authority and I am not sure if that needs attention before retirement.  Viewing the CA Console - there is only one certificate on it and it expired earlier this year and looks to have been used for Wireless802.11 authentication with our Cisco WLC at some point.  I also see some "Issued Certificates" from 2010-2012 for EFS and DC templates, but nothing current.  
My questions:
1. What can I check to be sure this CA is not doing anything current;ly affecting my domain?
2. Is there anything that the CA might be handling for the other DCs that would not show up in the CA Console?
3. Do I need to remove this completely, so that I can reinstall CA on the Win2008 Svrs later if needed?  Assuming I would want to correctly remove all things CA related on this Svr just to be sure that I do not need to access this stuff if at some later date I need to setup a CA on one of the newer Svrs and am told there is already a root CA on the domain.
4. What is the correct way to completely remove all things CA on this Win2003 Svr?

Thanks
0
Comment
Question by:SIDESHOWBLAH
  • 2
  • 2
4 Comments
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 500 total points
Comment Utility
you would will need to migrate your database and private key to the new server if you intend to keep it
once that is done you can decommission

Active Directory Certificate Services Migration Guide
http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx

however, if the domain certificate shows as expired, it may not be an issue since you would have seen more problems on your network with the expired certificate

How to decommission a Windows enterprise certification authority and remove all related objects
http://support.microsoft.com/kb/889250
0
 

Author Comment

by:SIDESHOWBLAH
Comment Utility
Thanks for the info.  Is there a way to verify that nothing else is using the Win2003 CA?  I can look in the Console and see that there is 1 certificate and that it expired over a month ago.  But beyond that I am unsure where to look for anything related to the CA on that old Svr.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
i don't have access to a certsrv at the moment but if you look in the console and don't see anything else issued, it probably isn't doing anything.  not sure what your time frame is to decommission but you could stop the cert service for a few days and see if anything unusual appears in the event logs-specifically domain controllers.  if it doesn't seem to have an affect after that i would say decommission it
0
 

Author Comment

by:SIDESHOWBLAH
Comment Utility
It looks like one of the newer DCs is needing a certificate as a DomainController from this CA.  Once I stopped the CA for the day, I get entries in the EvntVwr of the Win2008 DC that it cannot enroll,  So, is there a way to migrate a CA to a server with a different name?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now