Link to home
Start Free TrialLog in
Avatar of SIDESHOWBLAH
SIDESHOWBLAHFlag for United States of America

asked on

Windows 2003 DC to be decommisioned, still running Certification Authority

I have an old Windows 2003 DC that I need to retire.  The new Win2008 DCs are in place and seem to be handling everything correctly.  But the Win2003 DC is running Certification Authority and I am not sure if that needs attention before retirement.  Viewing the CA Console - there is only one certificate on it and it expired earlier this year and looks to have been used for Wireless802.11 authentication with our Cisco WLC at some point.  I also see some "Issued Certificates" from 2010-2012 for EFS and DC templates, but nothing current.  
My questions:
1. What can I check to be sure this CA is not doing anything current;ly affecting my domain?
2. Is there anything that the CA might be handling for the other DCs that would not show up in the CA Console?
3. Do I need to remove this completely, so that I can reinstall CA on the Win2008 Svrs later if needed?  Assuming I would want to correctly remove all things CA related on this Svr just to be sure that I do not need to access this stuff if at some later date I need to setup a CA on one of the newer Svrs and am told there is already a root CA on the domain.
4. What is the correct way to completely remove all things CA on this Win2003 Svr?

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SIDESHOWBLAH

ASKER

Thanks for the info.  Is there a way to verify that nothing else is using the Win2003 CA?  I can look in the Console and see that there is 1 certificate and that it expired over a month ago.  But beyond that I am unsure where to look for anything related to the CA on that old Svr.
i don't have access to a certsrv at the moment but if you look in the console and don't see anything else issued, it probably isn't doing anything.  not sure what your time frame is to decommission but you could stop the cert service for a few days and see if anything unusual appears in the event logs-specifically domain controllers.  if it doesn't seem to have an affect after that i would say decommission it
It looks like one of the newer DCs is needing a certificate as a DomainController from this CA.  Once I stopped the CA for the day, I get entries in the EvntVwr of the Win2008 DC that it cannot enroll,  So, is there a way to migrate a CA to a server with a different name?