Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 41
  • Last Modified:

Windows 2003 DC to be decommisioned, still running Certification Authority

I have an old Windows 2003 DC that I need to retire.  The new Win2008 DCs are in place and seem to be handling everything correctly.  But the Win2003 DC is running Certification Authority and I am not sure if that needs attention before retirement.  Viewing the CA Console - there is only one certificate on it and it expired earlier this year and looks to have been used for Wireless802.11 authentication with our Cisco WLC at some point.  I also see some "Issued Certificates" from 2010-2012 for EFS and DC templates, but nothing current.  
My questions:
1. What can I check to be sure this CA is not doing anything current;ly affecting my domain?
2. Is there anything that the CA might be handling for the other DCs that would not show up in the CA Console?
3. Do I need to remove this completely, so that I can reinstall CA on the Win2008 Svrs later if needed?  Assuming I would want to correctly remove all things CA related on this Svr just to be sure that I do not need to access this stuff if at some later date I need to setup a CA on one of the newer Svrs and am told there is already a root CA on the domain.
4. What is the correct way to completely remove all things CA on this Win2003 Svr?

Thanks
0
SIDESHOWBLAH
Asked:
SIDESHOWBLAH
  • 2
  • 2
1 Solution
 
Seth SimmonsSr. Systems AdministratorCommented:
you would will need to migrate your database and private key to the new server if you intend to keep it
once that is done you can decommission

Active Directory Certificate Services Migration Guide
http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx

however, if the domain certificate shows as expired, it may not be an issue since you would have seen more problems on your network with the expired certificate

How to decommission a Windows enterprise certification authority and remove all related objects
http://support.microsoft.com/kb/889250
0
 
SIDESHOWBLAHAuthor Commented:
Thanks for the info.  Is there a way to verify that nothing else is using the Win2003 CA?  I can look in the Console and see that there is 1 certificate and that it expired over a month ago.  But beyond that I am unsure where to look for anything related to the CA on that old Svr.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
i don't have access to a certsrv at the moment but if you look in the console and don't see anything else issued, it probably isn't doing anything.  not sure what your time frame is to decommission but you could stop the cert service for a few days and see if anything unusual appears in the event logs-specifically domain controllers.  if it doesn't seem to have an affect after that i would say decommission it
0
 
SIDESHOWBLAHAuthor Commented:
It looks like one of the newer DCs is needing a certificate as a DomainController from this CA.  Once I stopped the CA for the day, I get entries in the EvntVwr of the Win2008 DC that it cannot enroll,  So, is there a way to migrate a CA to a server with a different name?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now