Re: Do I need a CA server?

Tech-Archive recommends: Fix windows errors by optimizing your registry


Thanks. Does using the steps below to remove the CA and it's references in
AD have any impact on the KDC certificates?

"Ace Fekay [Microsoft Certified Trainer]" wrote:

"Elwin" <Elwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F0B2E99B-A62D-4FB3-BCA8-282413A39898@xxxxxxxxxxxxxxxx
The non-domain controller certificate authority server crashed. The CA
database is lost and unrecoverable, no backup. I only had one or two
in-house
servers that used the certs from it anyway, so I was thinking no big deal,
test servers anyway. We're about to upgrade the windows 2003 domain to
windows 2008 and I'm checking things out to prepare for that. I find out
using certutil -TCAInfo that the CA service is somehow tied to the KDC
certificates in active directory. My question is can I just install CA
services on the now rebuilt server? Would just installing CA services
cause
the certificates to begin renewing since the name and hardware is the
same?
Would I have to clean up the metadata from the previous CA and reissue
certificates?

I don't understand the relationship between CA and KDC. I know that KDC
is
always on but CA isn't. How are they related?


Unfortunately, they're intertwined, as well as the CA is referenced in AD.
If you plan on upgrading or reinstalling the CA, or simply don't require it
anymore, the older references will still need to be removed. The following
should help you remove it from the AD database.

----
Removing a Certificate Authority from AD:

How to remove manually Enterprise Windows Certificate Authority from Windows
2000/2003 Domain
http://support.microsoft.com/kb/555151

How to decommission a Windows enterprise certification authority and how to
remove all related objects from Windows Server 2003 and from Windows Server
2000
http://support.microsoft.com/?id=889250


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.


.

Relevant Pages

  • Re: CA auto-enrollment policies with Windows 2003
    ... Yes you need to have your enterprise CA installed on Windows 2003 Server ... issue computer certificates to domain computers. ... > existing domain controllers we really don't want to also install IIS on ...
    (microsoft.public.windows.group_policy)
  • RE: VPN Problem, PC not Authenticating with Server
    ... is the VPN server, SBS or router? ... Regarding the configuration of L2TP VPN, please also refer to the following ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)
  • Re: Vista wireless using IAS and WPA-Enterprise
    ... certificates, which may be more than the limit that the IAS server can send ... on a Web site or if you use IAS in Windows Server 2003 ... Vista wireless using IAS and WPA-Enterprise ...
    (microsoft.public.windows.server.networking)
  • Re: VPN Problem, PC not Authenticating with Server
    ... do you mean you have configured L2TP/IPSec VPN ... is the VPN server, SBS or router? ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)
  • Re: RADIUS and Certs
    ... Another option is to buy comercial certificates from third parties. ... IAS on our Windows 2003 server so we can use AD and stop having to ... We are a Windows 2000 domain with W2003 member servers. ... If you install a CA on your production network you won't be able to easily ...
    (microsoft.public.internet.radius)