Solved

Windows 2003 DC to be decommisioned, still running Certification Authority

Posted on 2014-09-19
4
26 Views
Last Modified: 2016-04-11
I have an old Windows 2003 DC that I need to retire.  The new Win2008 DCs are in place and seem to be handling everything correctly.  But the Win2003 DC is running Certification Authority and I am not sure if that needs attention before retirement.  Viewing the CA Console - there is only one certificate on it and it expired earlier this year and looks to have been used for Wireless802.11 authentication with our Cisco WLC at some point.  I also see some "Issued Certificates" from 2010-2012 for EFS and DC templates, but nothing current.  
My questions:
1. What can I check to be sure this CA is not doing anything current;ly affecting my domain?
2. Is there anything that the CA might be handling for the other DCs that would not show up in the CA Console?
3. Do I need to remove this completely, so that I can reinstall CA on the Win2008 Svrs later if needed?  Assuming I would want to correctly remove all things CA related on this Svr just to be sure that I do not need to access this stuff if at some later date I need to setup a CA on one of the newer Svrs and am told there is already a root CA on the domain.
4. What is the correct way to completely remove all things CA on this Win2003 Svr?

Thanks
0
Comment
Question by:SIDESHOWBLAH
  • 2
  • 2
4 Comments
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 500 total points
ID: 40332647
you would will need to migrate your database and private key to the new server if you intend to keep it
once that is done you can decommission

Active Directory Certificate Services Migration Guide
http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx

however, if the domain certificate shows as expired, it may not be an issue since you would have seen more problems on your network with the expired certificate

How to decommission a Windows enterprise certification authority and remove all related objects
http://support.microsoft.com/kb/889250
0
 

Author Comment

by:SIDESHOWBLAH
ID: 40332752
Thanks for the info.  Is there a way to verify that nothing else is using the Win2003 CA?  I can look in the Console and see that there is 1 certificate and that it expired over a month ago.  But beyond that I am unsure where to look for anything related to the CA on that old Svr.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40332765
i don't have access to a certsrv at the moment but if you look in the console and don't see anything else issued, it probably isn't doing anything.  not sure what your time frame is to decommission but you could stop the cert service for a few days and see if anything unusual appears in the event logs-specifically domain controllers.  if it doesn't seem to have an affect after that i would say decommission it
0
 

Author Comment

by:SIDESHOWBLAH
ID: 40336477
It looks like one of the newer DCs is needing a certificate as a DomainController from this CA.  Once I stopped the CA for the day, I get entries in the EvntVwr of the Win2008 DC that it cannot enroll,  So, is there a way to migrate a CA to a server with a different name?
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question