CnicNV
asked on
Purpose of Active Directory Certification Services Domain Controller Certificate Template?
I am trying to determine if I need to migrate or can simply uninstall and decommission a 2003 Server (non PDC) which has the role of a AD CS. It's a bit of a dependency tangled mess. I have been looking at all of the migration instructions to move this AD CS role and settings over to a Server 2012 OS (which I will not have as a DC). The process looks very complicated and long, with almost all of the information piecemeal, coming from Technet blogs as apposed to some official walk through or utility, with the exception of the two following links (which contain more than a few mistakes according to user comments)...
https://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
My question is, do I need this role in my environment. I'd prefer to simply uninstall this role, demote the server, metadata clean up and shut the server down. The only certificates it seems to have issued are a few file level encryption certificate templates, which I can get around by telling these users to un-encrypt these files.
However, what does worry me are the Domain Controller certificate templates that are issued to our Domain Controllers. What the heck do these do? Are they important? Are they necessary for AD replication, user, groups, computer, GPOs, file permissions, remote dial in access, or any of the "traditional" Active Directory Domain based things to function?
Thanks for the info.
https://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
My question is, do I need this role in my environment. I'd prefer to simply uninstall this role, demote the server, metadata clean up and shut the server down. The only certificates it seems to have issued are a few file level encryption certificate templates, which I can get around by telling these users to un-encrypt these files.
However, what does worry me are the Domain Controller certificate templates that are issued to our Domain Controllers. What the heck do these do? Are they important? Are they necessary for AD replication, user, groups, computer, GPOs, file permissions, remote dial in access, or any of the "traditional" Active Directory Domain based things to function?
Thanks for the info.
If you don't know WHY something is installed then don't install it just because it is available. Either you know that you need it, if not then don't install it.
ASKER
LOL, I know, I have inherited this ball of yarn (network) just under 2 years ago, and I have been slowly trying to untangle it without causing too much anxiety for myself. I have no idea why this role was installed (let alone on a PDC), but it looks like based on the expatriation dates of most of the certificates, it hasn't been used for 3 or 4 years, besides for Domain Controller and client work station EFS certs.
Now in terms of keeping it up and running as a result of not knowing what it was used for, not for lack of trying, but leaning on the side that it is not needed. I would have thought this would be a safer bet? IE to migrate it as apposed to shutting it down and finding out it was integral to something. Also, it seems like the process of migrating it is fairly "committal" as a result of having to keep the computer name the same, that is once I start the process, it's not easy to back out to the original server if things start to break. This is especially problematic if it was also a DC and you need to do metadata clean up after demotion.
Ughh, I don't know. Looks like I will probably have to migrate this thing and here I was thinking I could turn off our last 2003 Domain Controller after migrating DHCP and FSMO roles off of it :-P
Now in terms of keeping it up and running as a result of not knowing what it was used for, not for lack of trying, but leaning on the side that it is not needed. I would have thought this would be a safer bet? IE to migrate it as apposed to shutting it down and finding out it was integral to something. Also, it seems like the process of migrating it is fairly "committal" as a result of having to keep the computer name the same, that is once I start the process, it's not easy to back out to the original server if things start to break. This is especially problematic if it was also a DC and you need to do metadata clean up after demotion.
Ughh, I don't know. Looks like I will probably have to migrate this thing and here I was thinking I could turn off our last 2003 Domain Controller after migrating DHCP and FSMO roles off of it :-P
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the feedback :-)
Will.