Re: Best Practice approach in Replacing an Enterprise CA

From: NoyPi_Yongski <NoyPiYongski@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Aug 2008 22:18:00 -0700

Hi Paul,

Well I went ahead with the proposed scenario of uninstalling ent root Ca and
reinstalling on another server. everything went fine, clients autoenrolled
the Root CA cert on Trusted root once group policy kicked in. I noticed that
Autoenrollment for the Domain Controller certificate did not occur anymore, I
rebooted the DC's run gpupdate but still they did not get the Domain
Controller certificate. For the old CA, they still had the Domain Controller
cert on the personal store issued by the previous ent root CA. Was just
wondering why it is so. We are using default Domain Controller policy on AD.

Thanks,

"Paul Adare - MVP" wrote:

On Thu, 21 Aug 2008 20:39:01 -0700, NoyPi_Yongski wrote:

Thanks for the reply. This article is one of the alternatives we
considered. What is your opinion however if we go ahead with just
uninstalling the CA role and reinstalling on the new server and reissuing the
necessary certs?

Would you think that this approach is more complicated than your suggested
alternative?

Given the description of your environment (small, not many certs issued),
I'd go with you original idea of rip, replace and reissue.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Hardware: The parts of a computer system that can be kicked.

Follow-Ups:
- Re: Best Practice approach in Replacing an Enterprise CA
  - From: Paul Adare - MVP

References:
- Best Practice approach in Replacing an Enterprise CA
  - From: NoyPi_Yongski
- RE: Best Practice approach in Replacing an Enterprise CA
  - From: NoyPi_Yongski
- Re: Best Practice approach in Replacing an Enterprise CA
  - From: Paul Adare - MVP

Prev by Date: Re: Default Smartcard Logon template still visible on web enrollment pages
Next by Date: Re: Default Smartcard Logon template still visible on web enrollment pages
Previous by thread: Re: Best Practice approach in Replacing an Enterprise CA
Next by thread: Re: Best Practice approach in Replacing an Enterprise CA
Index(es):
- Date
- Thread

Relevant Pages

Re: Manually removing cert server from AD
... Maybe i should ask it this way - is a cert server required for AD services? ... system failed to enroll for one Domain Controller certificate ... and TS servers and see that they have a local computer certificate ...
(microsoft.public.windows.server.active_directory)
Re: Certificate Services removal from domain
... DCs will automatically try to get a cert from an enterprise CA once they se ... > I need some advice in how to remove Certificate Services from the ... > generating some certificates for use in debugging a secure web server. ... > need to demote this domain controller. ...
(microsoft.public.win2000.security)
Re: Manually removing cert server from AD
... I don't think cert is required for AD services except you have applications ... that requires certificate to use AD for authentication. ... server wont cause some authentication issues for my existing AD ... system failed to enroll for one Domain Controller certificate ...
(microsoft.public.windows.server.active_directory)
Re: LDAPS
... I'm running ldp.exe on the domain controller itself. ... The certificate is installed from a trusted server ... that has a root certificate installed on all clients in AD via group policy. ...
(microsoft.public.windows.server.active_directory)
Auto enrollment Domain Certificate not working (error 13)
... Hi we have problem with getting the domain controller to get Certs. ... If we manually try to get a cert from a dc(Certificate Enrollment,Domain ... net start certsvc ... Restart certsvc and when it started and we run the command above it says ...
(microsoft.public.windows.server.active_directory)