Do I need a CA server?
Elwin
The non-domain controller certificate authority server crashed. The CA
database is lost and unrecoverable, no backup. I only had one or two in-house
servers that used the certs from it anyway, so I was thinking no big deal,
test servers anyway. We're about to upgrade the windows 2003 domain to
windows 2008 and I'm checking things out to prepare for that. I find out
using certutil -TCAInfo that the CA service is somehow tied to the KDC
certificates in active directory. My question is can I just install CA
services on the now rebuilt server? Would just installing CA services cause
the certificates to begin renewing since the name and hardware is the same?
Would I have to clean up the metadata from the previous CA and reissue
certificates?
I don't understand the relationship between CA and KDC. I know that KDC is
always on but CA isn't. How are they related?
Ace Fekay [Microsoft Certified Trainer]
"Elwin" <El...@discussions.microsoft.com> wrote in message
news:F0B2E99B-A62D-4FB3...@microsoft.com...
Unfortunately, they're intertwined, as well as the CA is referenced in AD.
If you plan on upgrading or reinstalling the CA, or simply don't require it
anymore, the older references will still need to be removed. The following
should help you remove it from the AD database.
----
Removing a Certificate Authority from AD:
How to remove manually Enterprise Windows Certificate Authority from Windows
2000/2003 Domain
http://support.microsoft.com/kb/555151
How to decommission a Windows enterprise certification authority and how to
remove all related objects from Windows Server 2003 and from Windows Server
2000
http://support.microsoft.com/?id=889250
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
ace...@mvps.RemoveThisPart.org
http://twitter.com/acefekay
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Elwin
Thanks. Does using the steps below to remove the CA and it's references in
AD have any impact on the KDC certificates?
Ace Fekay [Microsoft Certified Trainer]
> Thanks. Does using the steps below to remove the CA and it's references
> in
> AD have any impact on the KDC certificates?
I thnk there was a mention in there concerning the cert. You will need to
remove it off the DCs anyway because the CA doesn't exist, so it can't check
the CRL. Besides, if a CA was never installed in an AD system, there
wouldn't be any worry about a cert.
Ace
Elwin
So, do I need a CA server? Other than website certs, what critical AD
function does it fulfill? Is it something to do with data encription between
the desktop pc and DC or other servers?
"Ace Fekay [Microsoft Certified Trainer]" wrote:
Ace Fekay [Microsoft Certified Trainer]
> So, do I need a CA server? Other than website certs, what critical AD
> function does it fulfill? Is it something to do with data encription
> between
> the desktop pc and DC or other servers?
Do you need one? That depends. If for website certs for internal use only,
and that being the only thing possible, other than internal machine and/or
user certificates for a high secure wireless solution, then no. I would
imagine that if you need it for securing a website, or OWA, that you would
purchase a public certificate from Verisign, DigiCert, etc, because an
internal cert is useless for external connectivity due to the fact that it
is not trusted by everyone out in the world.
So in summary, I would think if you are asking this question, more than
likely, no.
Ace