Hello MBernal,
I am not the CA specialist, but AD doesn't need it by default. Removing the
"dead" DC will cleanup the AD database and removing the additional CA entries
shouldn't have an impact.
I will also crosspost this to:
microsoft.public.windows.server.security
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
> Thanks for the response. Im still not confident that the removal of
> the cert server wont cause some authentication issues for my existing
> AD environment. Maybe i should ask it this way - is a cert server
> required for AD services? I am guessing its not unless we are using
> EFS or some other encryption app that requires it.
>
> I just know that the cert is for - All issuance policies and All
> application policies, if i revoke these as suggested by the ariticles,
> will it break something?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello MBernal,
>>
>> Check this articles about removing CA:
>> http://support.microsoft.com/kb/555151
>> http://support.microsoft.com/kb/889250
>>
>> For removing DC's:
>> http://support.microsoft.com/kb/555846/en-us
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Ok, so I have a simple AD 2003 network with 2 domain controller and
>>> 2 Terminal 2003 servers. I have inherited this AD environment and
>>> found that one of my domain controller has numerous Event ID 13 -
>>> AutoEnrollment errors (Automatic certification enrollment for local
>>> system failed to enroll for one Domain Controller certificate
>>> (8x800706ba). The RPC server is unavailable). Well, i found out that
>>> this cert was issued from a old domain controller that no longer
>>> exist. I see this domain controller listed in AD users and
>>> computers, and want to manually remove it, but im not certain of the
>>> impact as it was a cert authority. Actually, i see its a member of
>>> the Cert Publishers security group. Ive investigated the remaining
>>> DC servers and TS servers and see that they have a local computer
>>> certificate issued under Intermediate Certificate
>>> Authorities\Certificates and the issuer was the non existant domain
>>> controller. Further is shows the cert is intended for the following
>>> purposes: All issuance policies and All application policies.
>>> Needless to say i am a little concerned about manually removing this
>>> domain controller/ca server without something breaking AD. Any
>>> thoughts or suggestions on removing this dead server without
>>> impacting my network?
>>>
Similar Threads
Linear Mode
