|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Manually removing cert server from ADOk, so I have a simple AD 2003 network with 2 domain controller and 2
Terminal 2003 servers. I have inherited this AD environment and found that one of my domain controller has numerous Event ID 13 - AutoEnrollment errors (Automatic certification enrollment for local system failed to enroll for one Domain Controller certificate (8x800706ba). The RPC server is unavailable). Well, i found out that this cert was issued from a old domain controller that no longer exist. I see this domain controller listed in AD users and computers, and want to manually remove it, but im not certain of the impact as it was a cert authority. Actually, i see its a member of the Cert Publishers security group. Ive investigated the remaining DC servers and TS servers and see that they have a local computer certificate issued under Intermediate Certificate Authorities\Certificates and the issuer was the non existant domain controller. Further is shows the cert is intended for the following purposes: All issuance policies and All application policies. Needless to say i am a little concerned about manually removing this domain controller/ca server without something breaking AD. Any thoughts or suggestions on removing this dead server without impacting my network? Hello MBernal,
Check this articles about removing CA: http://support.microsoft.com/kb/555151 http://support.microsoft.com/kb/889250 For removing DC's: http://support.microsoft.com/kb/555846/en-us Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Ok, so I have a simple AD 2003 network with 2 domain controller and 2 > Terminal 2003 servers. I have inherited this AD environment and found > that one of my domain controller has numerous Event ID 13 - > AutoEnrollment errors (Automatic certification enrollment for local > system failed to enroll for one Domain Controller certificate > (8x800706ba). The RPC server is unavailable). Well, i found out that > this cert was issued from a old domain controller that no longer > exist. I see this domain controller listed in AD users and computers, > and want to manually remove it, but im not certain of the impact as it > was a cert authority. Actually, i see its a member of the Cert > Publishers security group. Ive investigated the remaining DC servers > and TS servers and see that they have a local computer certificate > issued under Intermediate Certificate Authorities\Certificates and the > issuer was the non existant domain controller. Further is shows the > cert is intended for the following purposes: All issuance policies and > All application policies. Needless to say i am a little concerned > about manually removing this domain controller/ca server without > something breaking AD. Any thoughts or suggestions on removing this > dead server without impacting my network? > Thanks for the response. Im still not confident that the removal of the cert
server wont cause some authentication issues for my existing AD environment. Maybe i should ask it this way - is a cert server required for AD services? I am guessing its not unless we are using EFS or some other encryption app that requires it. I just know that the cert is for - All issuance policies and All application policies, if i revoke these as suggested by the ariticles, will it break something? Show quoteHide quote "Meinolf Weber [MVP-DS]" wrote: > Hello MBernal, > > Check this articles about removing CA: > http://support.microsoft.com/kb/555151 > > http://support.microsoft.com/kb/889250 > > For removing DC's: > http://support.microsoft.com/kb/555846/en-us > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Ok, so I have a simple AD 2003 network with 2 domain controller and 2 > > Terminal 2003 servers. I have inherited this AD environment and found > > that one of my domain controller has numerous Event ID 13 - > > AutoEnrollment errors (Automatic certification enrollment for local > > system failed to enroll for one Domain Controller certificate > > (8x800706ba). The RPC server is unavailable). Well, i found out that > > this cert was issued from a old domain controller that no longer > > exist. I see this domain controller listed in AD users and computers, > > and want to manually remove it, but im not certain of the impact as it > > was a cert authority. Actually, i see its a member of the Cert > > Publishers security group. Ive investigated the remaining DC servers > > and TS servers and see that they have a local computer certificate > > issued under Intermediate Certificate Authorities\Certificates and the > > issuer was the non existant domain controller. Further is shows the > > cert is intended for the following purposes: All issuance policies and > > All application policies. Needless to say i am a little concerned > > about manually removing this domain controller/ca server without > > something breaking AD. Any thoughts or suggestions on removing this > > dead server without impacting my network? > > > > > Hello MBernal,
I am not the CA specialist, but AD doesn't need it by default. Removing the "dead" DC will cleanup the AD database and removing the additional CA entries shouldn't have an impact. I will also crosspost this to: microsoft.public.windows.server.security Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Thanks for the response. Im still not confident that the removal of > the cert server wont cause some authentication issues for my existing > AD environment. Maybe i should ask it this way - is a cert server > required for AD services? I am guessing its not unless we are using > EFS or some other encryption app that requires it. > > I just know that the cert is for - All issuance policies and All > application policies, if i revoke these as suggested by the ariticles, > will it break something? > > "Meinolf Weber [MVP-DS]" wrote: > >> Hello MBernal, >> >> Check this articles about removing CA: >> http://support.microsoft.com/kb/555151 >> http://support.microsoft.com/kb/889250 >> >> For removing DC's: >> http://support.microsoft.com/kb/555846/en-us >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Ok, so I have a simple AD 2003 network with 2 domain controller and >>> 2 Terminal 2003 servers. I have inherited this AD environment and >>> found that one of my domain controller has numerous Event ID 13 - >>> AutoEnrollment errors (Automatic certification enrollment for local >>> system failed to enroll for one Domain Controller certificate >>> (8x800706ba). The RPC server is unavailable). Well, i found out that >>> this cert was issued from a old domain controller that no longer >>> exist. I see this domain controller listed in AD users and >>> computers, and want to manually remove it, but im not certain of the >>> impact as it was a cert authority. Actually, i see its a member of >>> the Cert Publishers security group. Ive investigated the remaining >>> DC servers and TS servers and see that they have a local computer >>> certificate issued under Intermediate Certificate >>> Authorities\Certificates and the issuer was the non existant domain >>> controller. Further is shows the cert is intended for the following >>> purposes: All issuance policies and All application policies. >>> Needless to say i am a little concerned about manually removing this >>> domain controller/ca server without something breaking AD. Any >>> thoughts or suggestions on removing this dead server without >>> impacting my network? >>> Hello MBernal,
I don't think cert is required for AD services except you have applications that requires certificate to use AD for authentication. If anything was to go wrong, then it should have already happened, because as you said the AD server is long gone and no longer exists. Does your current environment still uses certs? This is what you can do: Go to one of Terminal Servers that you think are looking into the old DC for cert, right click, choose name mappings, see if any certificate exists, remove it and wait to see if any impact at all. Isaac Show quoteHide quote "MBernal" <MBer***@discussions.microsoft.com> wrote in message news:3864233F-0C81-4219-8288-F44F3A91F8A8@microsoft.com... > Thanks for the response. Im still not confident that the removal of the > cert > server wont cause some authentication issues for my existing AD > environment. > Maybe i should ask it this way - is a cert server required for AD > services? I > am guessing its not unless we are using EFS or some other encryption app > that > requires it. > > I just know that the cert is for - All issuance policies and All > application policies, if i revoke these as suggested by the ariticles, > will > it break something? > > "Meinolf Weber [MVP-DS]" wrote: > >> Hello MBernal, >> >> Check this articles about removing CA: >> http://support.microsoft.com/kb/555151 >> >> http://support.microsoft.com/kb/889250 >> >> For removing DC's: >> http://support.microsoft.com/kb/555846/en-us >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> >> >> > Ok, so I have a simple AD 2003 network with 2 domain controller and 2 >> > Terminal 2003 servers. I have inherited this AD environment and found >> > that one of my domain controller has numerous Event ID 13 - >> > AutoEnrollment errors (Automatic certification enrollment for local >> > system failed to enroll for one Domain Controller certificate >> > (8x800706ba). The RPC server is unavailable). Well, i found out that >> > this cert was issued from a old domain controller that no longer >> > exist. I see this domain controller listed in AD users and computers, >> > and want to manually remove it, but im not certain of the impact as it >> > was a cert authority. Actually, i see its a member of the Cert >> > Publishers security group. Ive investigated the remaining DC servers >> > and TS servers and see that they have a local computer certificate >> > issued under Intermediate Certificate Authorities\Certificates and the >> > issuer was the non existant domain controller. Further is shows the >> > cert is intended for the following purposes: All issuance policies and >> > All application policies. Needless to say i am a little concerned >> > about manually removing this domain controller/ca server without >> > something breaking AD. Any thoughts or suggestions on removing this >> > dead server without impacting my network? >> > >> >> >> 
Other interesting topics
What am I missing?
Domain Trust issue problem reading gpt.ini DNS/DHCP problem while migrating computers using ADMT Group Domain Admins cannot be found Logon issue in a 2 domain trust - Win 2003 DC fails when isolated from network GPO Version mismatch in Sysvol GPO to allow Active X, Java FLash Folder Redirection Run Amok |
|||||||||||||||||||||||
