Removal of Certification Authority on Windows Server 2008 R2 Enterprise DC

Hi All,

I would like to remove certificate authority and services from my 2008 R2 Enterprise DC.
On my issued certificates in the certification authority I have 30 or so certificates half of which are expired or invalid.

There are Basic EFS certificates (issues when someone tries to encrypt a file) and there are Domain Controller certificates.

This certificate authority was implemented in the past to place a self signed certificate for Exchange. No other use was intended for this certificate authority and I do not have any use for this now.

My questions are:

1- Which procedure should I follow to remove my certificate authority properly from this DC. Is this KB 889250?
2- Will this have any ill effect on domain controller communication? Will i get any errors after I remove this?
3- When I installed my certification authority did this change the way domain controllers communicate?
4- If  i remove the certification authority and services, how will my domain controllers communicate? Will this be less secure?
5- If 4 is true, how can I then make DC comms secure?

Thanking you in advance,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you have got the correct procedure .. how about exchange for which the CA was added originally?  They will use self signed certs and self signed certs are less secure than CA signed certs since any machine can create a self signed cert
If exchange is using certificate from this CA, probably you should 1st build new public cert for Exchange and install on Exchange server.

Then you can take CA backup and remove CA role from server, this is just precautionary measure if you want to install CA role again on same server or another server with same name.

DC configuration never get change after you add Certificate authority
You will not get any errors after you remove CA from server
U can simply delete domain controller certificate from personnel store on DC

If you want to start secure communication with DC Secure LDAP (TCP 636), you need to install AD service certificate on DC
Check below article for how to:

I believe you have not setup any thing like above as of now.

The KB is fine to follow without any issues
giorgio71Author Commented:
Thank you for your answers.

Please disregard exchange - I have placed a Verisign certificate on it.

One other question (in addition to the above)

5- I see that the Default Domain Policy has two sections on public key policies and the EFS section has a certficate issued to the domain admin and has expired.

Do these get removed automatically from default domain policy after i remove the certification authority?

Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

No it will not get removed automatically

U need to remove it manually
giorgio71Author Commented:

When I get to the stage of STEP 5 in KB 889250 and I issue certutil -key, the information doesn't present me with the CA name as in KB889250, i get the following in key.txt
If you are not using this CA server in feature, you can directly uninstall CA role from add remove server roles instead of following article

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.