Purpose of Active Directory Certification Services Domain Controller Certificate Template?

I am trying to determine if I need to migrate or can simply uninstall and decommission a 2003 Server (non PDC) which has the role of a AD CS.  It's a bit of a dependency tangled mess.  I have been looking at all of the migration instructions to move this AD CS role and settings over to a Server 2012 OS (which I will not have as a DC).  The process looks very complicated and long, with almost all of the information piecemeal, coming from Technet blogs as apposed to some official walk through or utility, with the exception of the two following links (which contain more than a few mistakes according to user comments)...



My question is, do I need this role in my environment.  I'd prefer to simply uninstall this role, demote the server, metadata clean up and shut the server down.  The only certificates it seems to have issued are a few file level encryption certificate templates, which I can get around by telling these users to un-encrypt these files.

However, what does worry me are the Domain Controller certificate templates that are issued to our Domain Controllers.  What the heck do these do?  Are they important?  Are they necessary for AD replication, user, groups, computer, GPOs, file permissions, remote dial in access, or any of the "traditional" Active Directory Domain based things to function?

Thanks for the info.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Certificates are an added feature and they are not dependant for Active Directory to run properly. Typically when you have certificates installed on your DC this allows you to create SLDAP (Secure LDAP 636) connections to your domain controllers. These certificates also trust the ADCS server because it is active directory integrated. Another reason for the Domain Controller certificate is for auto enrollement for users and computers that come on to the domain network.

David Johnson, CD, MVPOwnerCommented:
If you don't know WHY something is installed then don't install it just because it is available. Either you know that you need it, if not then don't install it.
CnicNVAuthor Commented:
LOL, I know, I have inherited this ball of yarn (network) just under 2 years ago, and I have been slowly trying to untangle it without causing too much anxiety for myself.  I have no idea why this role was installed (let alone on a PDC), but it looks like based on the expatriation dates of most of the certificates, it hasn't been used for 3 or 4 years, besides for Domain Controller and client work station EFS certs.  

Now in terms of keeping it up and running as a result of not knowing what it was used for, not for lack of trying, but leaning on the side that it is not needed.  I would have thought this would be a safer bet?  IE to migrate it as apposed to shutting it down and finding out it was integral to something.  Also, it seems like the process of migrating it is fairly "committal" as a result of having to keep the computer name the same, that is once I start the process, it's not easy to back out to the original server if things start to break.  This is especially problematic if it was also a DC and you need to do metadata clean up after demotion.

Ughh, I don't know.  Looks like I will probably have to migrate this thing and here I was thinking I could turn off our last 2003 Domain Controller after migrating DHCP and FSMO roles off of it :-P
Will SzymkowskiSenior Solution ArchitectCommented:
If you have no idea what it is being used for then, it would be safer to migrate it to another server, it is a lot of work but in the end will be worth. I say this because you may not know exactly what it is used for but it could break other services in your environment that might depend on ADCS.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CnicNVAuthor Commented:
Thanks for the feedback :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.