Decomission DC cert authority

anything I don't mind · 24 Feb 2014 at 16:13

I am trying to decommission my first production DC. Its an old 2003 DC that has not been well maintained. I have already introduced a 2008 r2 sp1 DC in the forest and moved the roles over and complete the dc decommission checklist and tests found at:

http://technet.microsoft.com/en-us/library/cc755937(v=ws.10).aspx

At this point i have reached the dcpromo task and was expecting to uninstall the dc and have the job completed but it comes up with an error:

"Before you install or remove active directory, you must remove certificate services"

I can across this article that explains the process of removing the certificate authority from the dc:

http://support.microsoft.com/kb/889250/en-us

Now my question is: Would i not need to transfer this authority to another DC rather than just follow the instructions in the above article which basically stops and removes all certificates and uninstall's the certificate services?

Actually think i've just found the answer, http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx

Looks like the best solution is to rename the new DC to the same name as the old DC, to prevent having to reissue all the certs.

http://windowsitpro.com/windows/moving-certificate-authority-ca-another-dc

Short guide to the point. But as a mistake could lead to all clients having cert issues i am a bit apprehensive about it and in no rush..

Knubje · 24 Feb 2014 at 20:23

If you aren't limited by the number of member servers you can have, why not create a new server with the CA role? A certificate server doesn't have to be on a DC.

It might also not be a great idea to name the DC the same as an old one.

How about migrating CA services from 2003 and 2008?

http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

http://blogs.technet.com/b/meamcs/a...te-authority-to-windows-2008-r2-based-ca.aspx

Terrier_Jimlad · 24 Feb 2014 at 23:33

In the exact same position. Have a physical 2003 DC with the CA on and want to move this over to a 2008 R2 - so let us know how you get on!

Knubje is right, doesn't necessarily need to be a DC, but has to be Enterprise edition of Windows Server if I remember rightly

anything I don't mind · 25 Feb 2014 at 12:15

Looking at the cert authority there is only 5 of 52 certificates that have not expired and they are for the other domain controllers and one for my own user account which i am not sure why it exists, its for EFS but i have never used the EFS. Either way there does not look to be a lot of active certs on there.

I am just looking in to the implications on actually just removing this cert authority and setting up a new one from scratch, from what i have read the computer objects will still work because they are not registered with the DC using the certs. But i read one forum where a guy messed up the cert services migration and this led to users not being able to login.

Ideally i would just uninstall the old cert authority and install a new one on the new DC And reissue the certs using the new dc as the common name. That way i don't need to worry about migrating any old legacy junk that does not need to be there any more. I am just not sure on how much impact that will have yet.

Knubje · 25 Feb 2014 at 13:04

Do you have a requirement for Certificate Services in your domain? Do you issue any domain certificates or it just there as a legacy piece?

The domain controllers will no doubt be set to auto-enrolling against the CA DC, which is why you are seeing 5 certificates not expired. This will probably be set by GPO in either the Default Domain policy or the Domain Controller policy.

If you have a development domain it would be great to test this before doing anything.

Failing that, you could try the decommission CA service process, and revoke a certificate issued to just one of your DC's, give it a reboot and see if clients can connect. You might have to stop auto-enrollment whilst you do this first though otherwise it will just auto-enroll a new cert from the CA.

I'd then test auth/logon against the DC with the revoked cert to check all is working as expected. If not, you can always un-revoke a certificate from the CA and kick the DC again.

You're in a bit of a tough situation. My gut feeling is that if you don't have certificate services setup for a reason as mentioned above then it's probably just turned on but not actually being used. If you monitor the certificates issued you should see what is using it and how often.

anything I don't mind · 25 Feb 2014 at 15:57

Its only a small site with 100 users and 4 dcs (3 once this one is turn off). 1 physical and 2 virtual. I plan to bring that down to 2 dc 1 physical 1 virtual and then 1 at DR side.

I don't think its used for anything than ad authentication. I remember a while ago they were using a domain certificate (the one found in IIS on the DC) from an external supplier. But when it came up for renewal i switched it to a self signed certificate as i know they are stopping issuing external certs for internal domains and its cheaper. I am not sure how that cert relates to it being a cert authority but on the other dcs we don't have IIS and the certifcate there. It looks like that cert is set up for the DC that i want to disable. So i would assume then i will need to regenerate the domain cert for the new dc hostname. It says issued by the Company name, rather than external company like thawte etc. So it must then be using the cert authority as the certificate issuer. So basically then i could just uninstall the cert authority, remove the dc shut it down. Install the cert authority on the new dc and issue a new internal certificate for the new dc.

In the default domain we have this policy setup:

Public Key Policies/Trusted Root Certification Authorities
Policy Setting
Allow users to select new root certification authorities (CAs) to trust
Enabled
Client computers can trust the following certificate stores
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria
Registered in Active Directory only

n30_mkii · 25 Feb 2014 at 19:45

Doesn't sound like there is any genuine need for this CA to exist other than for some internal web server certificates to save on money if the services will not be used externally. If a CA is installed using the wizard in a default config it will publish all templates, at which point the DCs will pickup certificates automatically even without auto enrolment being configured in a GPO. Feel free to drop me a message with the list of certs issued (if you are happy to do that) and I'll check there has been no other use. The main one to watch out for is if any efs type certs have been issued to a user who may have then chose to encrypt anything but hopefully that isn't the case.

The only other item to check for is if there is anything configured to use secure ldap (LDAP over SSL/TLS) as that will break potentially. Can you look at one of the issued certs to see what revocation info etc is in it, i.e. the AIA and CDP locations. Likely it will be an LDAP and internal HTTP site hosting them, which again will probably be the DC.

Lastly I would advise not to re-install the role unless required, if you do need it there should be a degree of planning etc to determine the uses and protection of the CAs. Again all depends on your requirements. FYI that role and IIS should never be installed on a DC as its bad practice and opens multiple attack vectors from a security standpoint. An exception in your case with a small usage scenario, but better suited to a member server.

There will be no utilisation of certs for logon from this unless either smartcards or some sort of IPSec using certs is enabled, so I can't forsee any issues. Is there any documentation as to why it was setup?

Anything else give me a shout or drop me a message via trust and i'll be glad to help out

covenantuk · 26 Feb 2014 at 13:41

Yup, don't bother with CAs unless you need them. If you do then build a seperate server for the job.

Ironically, we only put them in when VMware changed to require SSL throughout.

anything I don't mind · 26 Feb 2014 at 14:22

Thanks for such an informative reply. No documentation at all. As far as i am aware only one third party software is using ldap over port 636. I don't see any certificates in use for that host though. Does the use of secure ldap require the cert authority to be installed? I was not aware of that. If the cert authority is not required then I will not install it on the new server. The only sites in the IIS on the DC are sites about certificate authority.Under the IIS on the dc the default site, has cert control, cert enroll, certsrv sections.

I will have to update the MFD, xenapp and mimecast with the new domain controller address before decommission this dc, thanks for reminding me.

I would like to move over all the ldap connections to port 636 rather than 389.

Felix · 26 Feb 2014 at 16:20

No don't install a CA on a DC, for the exact reason you have found!

I have just gone through the same process as you. I had 2 Enterprise Root CA in the same domain. Both had EFS certs or Computer certs issued via autoentrollment. Check your file servers for any files that have been encrypted using the cipher command.

I decommissioned 1 of them and then migrated the other to a new 2012 server that will be used just as a CA.

I used the same links you found to migrate and decommission the CAs.

anything I don't mind · 28 Feb 2014 at 12:28

I have uninstalled the cert authority and so far so good. I moved over the third party (mimecast) ldaps connection to the new dc without any problems. The cert authority was not actually in use as far as i can tell. But i kept a backup of it in case need to restore.