Re: Manually removing cert server from AD
- From: "Isaac Oben [MCITP:EA, MCSE]" <isaac.oben@xxxxxxxxxxxxxxxx>
- Date: Sun, 22 Mar 2009 19:34:22 -0500
Hello MBernal,
I don't think cert is required for AD services except you have applications
that requires certificate to use AD for authentication. If anything was to
go wrong, then it should have already happened, because as you said the AD
server is long gone and no longer exists. Does your current environment
still uses certs? This is what you can do: Go to one of Terminal Servers
that you think are looking into the old DC for cert, right click, choose
name mappings, see if any certificate exists, remove it and wait to see if
any impact at all.
Isaac
"MBernal" <MBernal@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3864233F-0C81-4219-8288-F44F3A91F8A8@xxxxxxxxxxxxxxxx
Thanks for the response. Im still not confident that the removal of the
cert
server wont cause some authentication issues for my existing AD
environment.
Maybe i should ask it this way - is a cert server required for AD
services? I
am guessing its not unless we are using EFS or some other encryption app
that
requires it.
I just know that the cert is for - All issuance policies and All
application policies, if i revoke these as suggested by the ariticles,
will
it break something?
"Meinolf Weber [MVP-DS]" wrote:
Hello MBernal,
Check this articles about removing CA:
http://support.microsoft.com/kb/555151
http://support.microsoft.com/kb/889250
For removing DC's:
http://support.microsoft.com/kb/555846/en-us
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Ok, so I have a simple AD 2003 network with 2 domain controller and 2
Terminal 2003 servers. I have inherited this AD environment and found
that one of my domain controller has numerous Event ID 13 -
AutoEnrollment errors (Automatic certification enrollment for local
system failed to enroll for one Domain Controller certificate
(8x800706ba). The RPC server is unavailable). Well, i found out that
this cert was issued from a old domain controller that no longer
exist. I see this domain controller listed in AD users and computers,
and want to manually remove it, but im not certain of the impact as it
was a cert authority. Actually, i see its a member of the Cert
Publishers security group. Ive investigated the remaining DC servers
and TS servers and see that they have a local computer certificate
issued under Intermediate Certificate Authorities\Certificates and the
issuer was the non existant domain controller. Further is shows the
cert is intended for the following purposes: All issuance policies and
All application policies. Needless to say i am a little concerned
about manually removing this domain controller/ca server without
something breaking AD. Any thoughts or suggestions on removing this
dead server without impacting my network?
.
- References:
- Manually removing cert server from AD
- From: MBernal
- Re: Manually removing cert server from AD
- From: Meinolf Weber [MVP-DS]
- Re: Manually removing cert server from AD
- From: MBernal
- Manually removing cert server from AD
- Prev by Date: Re: net logon service not running
- Next by Date: Re: net logon service not running
- Previous by thread: Re: Manually removing cert server from AD
- Next by thread: Re: net logon service not running
- Index(es):
Relevant Pages
|
