Removal of Certification Authority on Windows Server 2008 R2 Enterprise DC

Hi All,

I would like to remove certificate authority and services from my 2008 R2 Enterprise DC.
On my issued certificates in the certification authority I have 30 or so certificates half of which are expired or invalid.

There are Basic EFS certificates (issues when someone tries to encrypt a file) and there are Domain Controller certificates.

This certificate authority was implemented in the past to place a self signed certificate for Exchange. No other use was intended for this certificate authority and I do not have any use for this now.

My questions are:

1- Which procedure should I follow to remove my certificate authority properly from this DC. Is this KB 889250?
2- Will this have any ill effect on domain controller communication? Will i get any errors after I remove this?
3- When I installed my certification authority did this change the way domain controllers communicate?
4- If  i remove the certification authority and services, how will my domain controllers communicate? Will this be less secure?
5- If 4 is true, how can I then make DC comms secure?

Thanking you in advance,

Who is Participating?
If you are not using this CA server in feature, you can directly uninstall CA role from add remove server roles instead of following article
David Johnson, CD, MVPOwnerCommented:
you have got the correct procedure .. how about exchange for which the CA was added originally?  They will use self signed certs and self signed certs are less secure than CA signed certs since any machine can create a self signed cert
If exchange is using certificate from this CA, probably you should 1st build new public cert for Exchange and install on Exchange server.

Then you can take CA backup and remove CA role from server, this is just precautionary measure if you want to install CA role again on same server or another server with same name.

DC configuration never get change after you add Certificate authority
You will not get any errors after you remove CA from server
U can simply delete domain controller certificate from personnel store on DC

If you want to start secure communication with DC Secure LDAP (TCP 636), you need to install AD service certificate on DC
Check below article for how to:

I believe you have not setup any thing like above as of now.

The KB is fine to follow without any issues
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

giorgio71Author Commented:
Thank you for your answers.

Please disregard exchange - I have placed a Verisign certificate on it.

One other question (in addition to the above)

5- I see that the Default Domain Policy has two sections on public key policies and the EFS section has a certficate issued to the domain admin and has expired.

Do these get removed automatically from default domain policy after i remove the certification authority?

No it will not get removed automatically

U need to remove it manually
giorgio71Author Commented:

When I get to the stage of STEP 5 in KB 889250 and I issue certutil -key, the information doesn't present me with the CA name as in KB889250, i get the following in key.txt
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.