serious problem - I removed pKIEnrollmentService
seeker01
This is Windows 2000 Server AD. During my testing phase learning how to
migrate user cert from a subordinate CA server to another subordinate CA
server, I must have accidentally removed the pKIEnrollmentService that
reference to production subordinate CA server at AD Sites & Services mmc.
Users now cannot request for new cert with the error message "cannot open
certificate template...". I have simulated my action at test lab, even if I
have tried with the CA restore or removing CA server then re-installing using
the existing key & database wont add back the deleted "pKIEnrollmentService"
object. Any clue? Thanks a bunch!!!
David Cross [MS]
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"seeker01" <seek...@discussions.microsoft.com> wrote in message
news:15A87A38-857C-4E9A...@microsoft.com...
seeker01
What I dont understand is why the current certifcate users have not noticed
the problem I have caused. Why just the new users who wish to have new
certificate have noticed the problem I have caused. If the current
certificate user wont be affected, is it safe for me to rebuild the current
server again with the clean OS, new CA server that does keep record of the
previous CA database?
Thanks.
Brian Komar <MVP>
revocation information. Only the new users are attempting to get new
certificates from the CA. You will only have the current users noticing
when the time to renew their certificates occurs.
As David stated, you do not have to rebuild the existing CA, just
install (and then probably remove) another enterprise CA. This will re-
create the missing AD objects. The deletion will not remove them, but
will leave them available for the existing CA.
If you choose to reinstall the existing CA, when you do the
reinstallation, choose to re-use the existing certificate, and there is
an option to use the existing database as well at that point.
Brian
In article <6436D27D-5CE9-4448...@microsoft.com>,
seek...@discussions.microsoft.com says...
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian
seeker01
You are right. By installing the 3rd CA server will make the 2nd CA server
functional again as per normal. But it appears that I have to continue
leaving the 3rd new CA server running because as soon as I removed the 3rd CA
server, users cannot request new certificate from the 2nd CA server again.
This is not a pleasing solution to the management because I am spending more
hardware cost this way. Do you have answer to my technical issue? Thanks
muchly.
Brian Komar <MVP>
seek...@discussions.microsoft.com says...
>
> Brian,
> You are right. By installing the 3rd CA server will make the 2nd CA server
> functional again as per normal. But it appears that I have to continue
> leaving the 3rd new CA server running because as soon as I removed the 3rd CA
> server, users cannot request new certificate from the 2nd CA server again.
> This is not a pleasing solution to the management because I am spending more
> hardware cost this way. Do you have answer to my technical issue? Thanks
> muchly.
>
>
but ensure that you continue to use the previous certificate. Also, you
want to enable the option to use the existing CA database.
To be safe, I would do the following beforehand:
- Backup the CA key pair:
md backup
certutil -backupkey c:\Backup
** this creates the PKCS#12 file in the c:\backup folder
- Backup the CA database
certutil -backupdb c:\Backup
** This backups the CA database in the c:\Backup folder
I would also take a System State backup of the CA computer.
Once all of your backups are done, uninstall Certificate Services.
Then reinstall Certificate Services, but on the page where you identify
the CSP, enable the option to use an existing certificate. You should
see the CA name in the listing. If you do not, refer to the PKCS #12
file in the C:\Backup folder. On the folder locations page, you should
be able to enable the option to re-use the existing CA datbase.
Brian
seeker01
Last question. The management is willing to take the risk for me to
reinstall the 2nd CA server service and of course preserving the existing CA
database. Do you see any risk if by removing & re-installing CA service didnt
work and I have to restore it from the AD system state? Any steps I should be
aware of. I need to be extra careful because I am now working on the
production system, not longer on lab environment.Thanks muchly because I can
be sacked if not covering all aspects.
Brian Komar <MVP>
seek...@discussions.microsoft.com says...
> question. The management is willing to take the risk for me to
> reinstall the 2nd CA server service and of course preserving the existing CA
> database. Do you see any risk if by removing & re-installing CA service didnt
> work and I have to restore it from the AD system state? Any steps I should be
> aware of. I need to be extra careful because I am now working on the
> production system, not longer on lab environment.Thanks muchly because I can
> be sacked if not covering all aspects.
>
No. The System State is actually the preferred method of restoring in
the event of CA failure. What I *do* recommend is that you go through
both processes a few times in a test network, just to make sure.
In addition, I would recommend backing up the CertSvc registry key, so
that all settings are maintained if you restore using a manual backup.
seeker01
I will backup the registry too. Is restoring CA from the system state
considered AD corruption? Do I do authoritative restore or non-authoritative
restore? Thanks.
Brian Komar <MVP>
To be honest, nothing has to be done with authoritative restores. The
System State includes the CA registry, database, and, if using a
software-based CSP, the CA private key
Brian
In article <EB0C6258-A10E-4172...@microsoft.com>,
seek...@discussions.microsoft.com says...