Solved

Windows 2003 DC to be decommisioned, still running Certification Authority

Posted on 2014-09-19
4
31 Views
Last Modified: 2016-04-11
I have an old Windows 2003 DC that I need to retire.  The new Win2008 DCs are in place and seem to be handling everything correctly.  But the Win2003 DC is running Certification Authority and I am not sure if that needs attention before retirement.  Viewing the CA Console - there is only one certificate on it and it expired earlier this year and looks to have been used for Wireless802.11 authentication with our Cisco WLC at some point.  I also see some "Issued Certificates" from 2010-2012 for EFS and DC templates, but nothing current.  
My questions:
1. What can I check to be sure this CA is not doing anything current;ly affecting my domain?
2. Is there anything that the CA might be handling for the other DCs that would not show up in the CA Console?
3. Do I need to remove this completely, so that I can reinstall CA on the Win2008 Svrs later if needed?  Assuming I would want to correctly remove all things CA related on this Svr just to be sure that I do not need to access this stuff if at some later date I need to setup a CA on one of the newer Svrs and am told there is already a root CA on the domain.
4. What is the correct way to completely remove all things CA on this Win2003 Svr?

Thanks
0
Comment
Question by:SIDESHOWBLAH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Seth Simmons earned 500 total points
ID: 40332647
you would will need to migrate your database and private key to the new server if you intend to keep it
once that is done you can decommission

Active Directory Certificate Services Migration Guide
http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx

however, if the domain certificate shows as expired, it may not be an issue since you would have seen more problems on your network with the expired certificate

How to decommission a Windows enterprise certification authority and remove all related objects
http://support.microsoft.com/kb/889250
0
 

Author Comment

by:SIDESHOWBLAH
ID: 40332752
Thanks for the info.  Is there a way to verify that nothing else is using the Win2003 CA?  I can look in the Console and see that there is 1 certificate and that it expired over a month ago.  But beyond that I am unsure where to look for anything related to the CA on that old Svr.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40332765
i don't have access to a certsrv at the moment but if you look in the console and don't see anything else issued, it probably isn't doing anything.  not sure what your time frame is to decommission but you could stop the cert service for a few days and see if anything unusual appears in the event logs-specifically domain controllers.  if it doesn't seem to have an affect after that i would say decommission it
0
 

Author Comment

by:SIDESHOWBLAH
ID: 40336477
It looks like one of the newer DCs is needing a certificate as a DomainController from this CA.  Once I stopped the CA for the day, I get entries in the EvntVwr of the Win2008 DC that it cannot enroll,  So, is there a way to migrate a CA to a server with a different name?
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question