Re: Enterprise Certificate Authority question
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/05/04
- Next message: Steven L Umbach: "Re: Erase Password List on windows2000 PC"
- Previous message: anonymous_at_discussions.microsoft.com: "Erase Password List on windows2000 PC"
- In reply to: T0GGLe: "Re: Enterprise Certificate Authority question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 05 Nov 2004 16:17:51 GMT
Sounds good.
I am very confident you will not have a problem. However best practice would
be to try removing the certificates on one domain controller first - not the
pdc fsmo or such, exporting them to a .pfx file [if the private keys are
exportable], back up the System State also and waiting a day or so and then
looking in Event Viewer to see if any problems are recorded. Then make a
change in Active Directory such as creating a new user on a different domain
controller and see if it replicates to the domain controller you removed the
certificates from. Even though I am confident I have learned in the past to
have a backup plan just in case. Usually such a plan takes little time, but
can save a ton of grief just in case things don't go according to plan. Good
luck. --- Steve
"T0GGLe" <erectmember@gmail.com> wrote in message
news:dc6e2dd4.0411050411.4ef939f3@posting.google.com...
> Hi,
>
> there are no members of the cert publishers group - it's completely
> blank.
>
> I think that I am going to strip out certificates from all servers as
> per the link you supplied below.
>
> Thanks very much for all the advice again people and I'll let you know
> how it goes. I'm just worried about breaking AD, you know - breaking
> the servers' ability to chat to each other - but if i follow that s
> doc to the letter then hopefully it'll go ok. It's not difficult to
> follow and if it does what is says on the tin then i should be ok.
> You've confirmeed to me that AD does not actually require a certficate
> server in order to work, it's just an extra layer of security that you
> can use so I'm going to do it.
>
> Cheers
>
> Togs.
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<xSYbd.133833$He1.35560@attbi_s01>...
>> Check Active Directory Users and Groups to find the membership of the
>> Cert
>> Publishers group which would show the actual server names of computers
>> that
>> may be a CA. If you do not have any server in the domain with the
>> Certificate Services service running as shown in services.msc then you
>> don't
>> have an active CA on your network for some reason. You could try to
>> install
>> a new Enterprise Root CA if you want but the process may balk if Active
>> Directory thinks there is still an Enterprise CA in the domain. If that
>> happens I am not sure what the best way to clean up the metadata but see
>> the
>> link below for advice if that happens and for additional info that may be
>> helpful. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
>>
>> "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
>> news:5a657c10.0410150249.2e05880d@posting.google.com...
>> > Thanks once again everyone for your help. I know it must be a bit
>> > frustrating talking to a CA noob and you didn't have to post so
>> > thanks.
>> >
>> > I'm working my way through all the info you have provided and comments
>> > you have made to make sense of the setup on our network.
>> >
>> > It appears that there is no CA server on our network as every server
>> > that I go on does not have the CA authority service installed. In
>> > terms of the "http path" in the details tab of the certificate details
>> > described in an earlier post, all the servers that have certificates
>> > point to one particular server...but this server does not have CA
>> > installed. Also, when i go into sites and services, enable "services
>> > node" (thx didn't even know about this!) and drill down this is what i
>> > see:-
>> >
>> > NAME TYPE
>> > namedCA certification authority
>> >
>> > and that's all
>> >
>> > Now this would be great if "namedCA" ["named" is actually our company
>> > name but I've removed it for the post] was actually a server but it's
>> > not.What it is though is the same name that all the certificates that
>> > these domain controllers have (could just be chance - ie same naming
>> > convention). I was kinda expecting to see the name of the server that
>> > was being used as the CA server or nothing
>> > at all so was suprised to see this there.
>> > Properties of this object give no details at all.
>> >
>> > Any suggestions?
>> >
>> > Ta.
- Next message: Steven L Umbach: "Re: Erase Password List on windows2000 PC"
- Previous message: anonymous_at_discussions.microsoft.com: "Erase Password List on windows2000 PC"
- In reply to: T0GGLe: "Re: Enterprise Certificate Authority question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
