Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Do I need a CA server?
Do I need a CA server? [message #156755] Wed, 24 June 2009 16:46 Go to next message
Elwin  is currently offline Elwin
Messages: 3
Registered: June 2009
Junior Member
The non-domain controller certificate authority server crashed. The CA
database is lost and unrecoverable, no backup. I only had one or two in-house
servers that used the certs from it anyway, so I was thinking no big deal,
test servers anyway. We're about to upgrade the windows 2003 domain to
windows 2008 and I'm checking things out to prepare for that. I find out
using certutil -TCAInfo that the CA service is somehow tied to the KDC
certificates in active directory. My question is can I just install CA
services on the now rebuilt server? Would just installing CA services cause
the certificates to begin renewing since the name and hardware is the same?
Would I have to clean up the metadata from the previous CA and reissue
certificates?

I don't understand the relationship between CA and KDC. I know that KDC is
always on but CA isn't. How are they related?
Re: Do I need a CA server? [message #156756 is a reply to message #156755] Wed, 24 June 2009 17:22 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Elwin" <Elwin@discussions.microsoft.com> wrote in message
news:F0B2E99B-A62D-4FB3-BCA8-282413A39898@microsoft.com...
> The non-domain controller certificate authority server crashed. The CA
> database is lost and unrecoverable, no backup. I only had one or two
> in-house
> servers that used the certs from it anyway, so I was thinking no big deal,
> test servers anyway. We're about to upgrade the windows 2003 domain to
> windows 2008 and I'm checking things out to prepare for that. I find out
> using certutil -TCAInfo that the CA service is somehow tied to the KDC
> certificates in active directory. My question is can I just install CA
> services on the now rebuilt server? Would just installing CA services
> cause
> the certificates to begin renewing since the name and hardware is the
> same?
> Would I have to clean up the metadata from the previous CA and reissue
> certificates?
>
> I don't understand the relationship between CA and KDC. I know that KDC
> is
> always on but CA isn't. How are they related?


Unfortunately, they're intertwined, as well as the CA is referenced in AD.
If you plan on upgrading or reinstalling the CA, or simply don't require it
anymore, the older references will still need to be removed. The following
should help you remove it from the AD database.

----
Removing a Certificate Authority from AD:

How to remove manually Enterprise Windows Certificate Authority from Windows
2000/2003 Domain
http://support.microsoft.com/kb/555151

How to decommission a Windows enterprise certification authority and how to
remove all related objects from Windows Server 2003 and from Windows Server
2000
http://support.microsoft.com/?id=889250


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Re: Do I need a CA server? [message #156877 is a reply to message #156756] Thu, 25 June 2009 09:35 Go to previous messageGo to next message
Elwin  is currently offline Elwin
Messages: 3
Registered: June 2009
Junior Member
Thanks. Does using the steps below to remove the CA and it's references in
AD have any impact on the KDC certificates?

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Elwin" <Elwin@discussions.microsoft.com> wrote in message
> news:F0B2E99B-A62D-4FB3-BCA8-282413A39898@microsoft.com...
> > The non-domain controller certificate authority server crashed. The CA
> > database is lost and unrecoverable, no backup. I only had one or two
> > in-house
> > servers that used the certs from it anyway, so I was thinking no big deal,
> > test servers anyway. We're about to upgrade the windows 2003 domain to
> > windows 2008 and I'm checking things out to prepare for that. I find out
> > using certutil -TCAInfo that the CA service is somehow tied to the KDC
> > certificates in active directory. My question is can I just install CA
> > services on the now rebuilt server? Would just installing CA services
> > cause
> > the certificates to begin renewing since the name and hardware is the
> > same?
> > Would I have to clean up the metadata from the previous CA and reissue
> > certificates?
> >
> > I don't understand the relationship between CA and KDC. I know that KDC
> > is
> > always on but CA isn't. How are they related?
>
>
> Unfortunately, they're intertwined, as well as the CA is referenced in AD.
> If you plan on upgrading or reinstalling the CA, or simply don't require it
> anymore, the older references will still need to be removed. The following
> should help you remove it from the AD database.
>
> ----
> Removing a Certificate Authority from AD:
>
> How to remove manually Enterprise Windows Certificate Authority from Windows
> 2000/2003 Domain
> http://support.microsoft.com/kb/555151
>
> How to decommission a Windows enterprise certification authority and how to
> remove all related objects from Windows Server 2003 and from Windows Server
> 2000
> http://support.microsoft.com/?id=889250
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among
> responding engineers, as well as to help others benefit from your
> resolution.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>
Re: Do I need a CA server? [message #156886 is a reply to message #156877] Thu, 25 June 2009 10:50 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Elwin" <Elwin@discussions.microsoft.com> wrote in message
news:DB91D762-62DB-494A-B923-E8FAA2B38AAF@microsoft.com...
> Thanks. Does using the steps below to remove the CA and it's references
> in
> AD have any impact on the KDC certificates?

I thnk there was a mention in there concerning the cert. You will need to
remove it off the DCs anyway because the CA doesn't exist, so it can't check
the CRL. Besides, if a CA was never installed in an AD system, there
wouldn't be any worry about a cert.

Ace
Re: Do I need a CA server? [message #156890 is a reply to message #156886] Thu, 25 June 2009 11:03 Go to previous messageGo to next message
Elwin  is currently offline Elwin
Messages: 3
Registered: June 2009
Junior Member
So, do I need a CA server? Other than website certs, what critical AD
function does it fulfill? Is it something to do with data encription between
the desktop pc and DC or other servers?

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Elwin" <Elwin@discussions.microsoft.com> wrote in message
> news:DB91D762-62DB-494A-B923-E8FAA2B38AAF@microsoft.com...
> > Thanks. Does using the steps below to remove the CA and it's references
> > in
> > AD have any impact on the KDC certificates?
>
> I thnk there was a mention in there concerning the cert. You will need to
> remove it off the DCs anyway because the CA doesn't exist, so it can't check
> the CRL. Besides, if a CA was never installed in an AD system, there
> wouldn't be any worry about a cert.
>
> Ace
>
>
>
Re: Do I need a CA server? [message #156896 is a reply to message #156890] Thu, 25 June 2009 12:15 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Elwin" <Elwin@discussions.microsoft.com> wrote in message
news:65AF4BA4-F040-4B48-9D26-CC5946A7FE8D@microsoft.com...
> So, do I need a CA server? Other than website certs, what critical AD
> function does it fulfill? Is it something to do with data encription
> between
> the desktop pc and DC or other servers?

Do you need one? That depends. If for website certs for internal use only,
and that being the only thing possible, other than internal machine and/or
user certificates for a high secure wireless solution, then no. I would
imagine that if you need it for securing a website, or OWA, that you would
purchase a public certificate from Verisign, DigiCert, etc, because an
internal cert is useless for external connectivity due to the fact that it
is not trusted by everyone out in the world.

So in summary, I would think if you are asking this question, more than
likely, no.

Ace
Previous Topic:AD Attribute query!
Next Topic:Logoff on idle with lock already active
Goto Forum:
  


Current Time: Wed Oct 18 01:44:19 EDT 2017

Total time taken to generate the page: 0.05473 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software