Re: Manually removing cert server from AD

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: MBernal <MBernal@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 22 Mar 2009 11:31:01 -0700

Thanks for the response. Im still not confident that the removal of the cert
server wont cause some authentication issues for my existing AD environment.
Maybe i should ask it this way - is a cert server required for AD services? I
am guessing its not unless we are using EFS or some other encryption app that
requires it.

I just know that the cert is for - All issuance policies and All
application policies, if i revoke these as suggested by the ariticles, will
it break something?

"Meinolf Weber [MVP-DS]" wrote:

Hello MBernal,

Check this articles about removing CA:
http://support.microsoft.com/kb/555151

http://support.microsoft.com/kb/889250

For removing DC's:
http://support.microsoft.com/kb/555846/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Ok, so I have a simple AD 2003 network with 2 domain controller and 2
Terminal 2003 servers. I have inherited this AD environment and found
that one of my domain controller has numerous Event ID 13 -
AutoEnrollment errors (Automatic certification enrollment for local
system failed to enroll for one Domain Controller certificate
(8x800706ba). The RPC server is unavailable). Well, i found out that
this cert was issued from a old domain controller that no longer
exist. I see this domain controller listed in AD users and computers,
and want to manually remove it, but im not certain of the impact as it
was a cert authority. Actually, i see its a member of the Cert
Publishers security group. Ive investigated the remaining DC servers
and TS servers and see that they have a local computer certificate
issued under Intermediate Certificate Authorities\Certificates and the
issuer was the non existant domain controller. Further is shows the
cert is intended for the following purposes: All issuance policies and
All application policies. Needless to say i am a little concerned
about manually removing this domain controller/ca server without
something breaking AD. Any thoughts or suggestions on removing this
dead server without impacting my network?

Follow-Ups:
- Re: Manually removing cert server from AD
  - From: Isaac Oben [MCITP:EA, MCSE]

References:
- Manually removing cert server from AD
  - From: MBernal
- Re: Manually removing cert server from AD
  - From: Meinolf Weber [MVP-DS]

Prev by Date: Re: After 2000 to 2003 upgrade sysvol is not accessable
Next by Date: Re: net logon service not running
Previous by thread: Re: Manually removing cert server from AD
Next by thread: Re: Manually removing cert server from AD
Index(es):
- Date
- Thread

Relevant Pages

Re: Web Certificate for IIS Server on SBS Domain
... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
(microsoft.public.windows.server.sbs)
Re: Activesync between Windows Mobile 5 and SBS2003 gives error
... If you don't find a cert here that matches the URL for OWA, you need to re-run the CEICW wizard on the SBS box and re-create the self signed cert. ... I exported the certificate straight from the server. ... Treo 700wx running Windows Mobile 5. ...
(microsoft.public.windows.server.sbs)
Re: Terminal Services over a VPN
... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
(microsoft.public.windows.terminal_services)
Re: Certificate Services removal from domain
... DCs will automatically try to get a cert from an enterprise CA once they se ... > I need some advice in how to remove Certificate Services from the ... > generating some certificates for use in debugging a secure web server. ... > need to demote this domain controller. ...
(microsoft.public.win2000.security)
Re: SBS 2003 Premium and Cert Services
... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
(microsoft.public.windows.server.sbs)