Help with decommissioning one of are CA servers
if you will not use this CA server you need to remove all related objects including CA certificates and CRLs.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
September 29th, 2011 9:00am
Thanks for the reply!
I will remove the objects for this old CA server
Would I still need to perform Step 7: Delete certificates published to the NtAuthCertificates object?
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 9:13am
yes, you need to perform all step specified in the KB article.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
September 29th, 2011 11:29am
Hi,
I'm in the process of decommissioning one of our old domain controllers but it holds CA. We also have another CA server which is still in use on another server which I
don't want to decommission.
I’ve been follow http://support.microsoft.com/kb/889250. On the CA server I want to decommission, I've revoked all the certs, confirmed that all the certs have expired, and
uninstalled the service as directed in the KB and have got as far as Step 6: Remove CA objects from Active Directory.
The question I have is, do I only remove the object for the CA server I've decommission from the steps below or do I leave it in there?
Remove all Certification Services objects from Active Directory
Note You
should not remove certificate templates from Active Directory until after you remove all CA objects in the Active Directory forest.
To remove all Certification Services objects from Active Directory, follow these steps:
1.
Determine the CACommonName of the CA. To do this, follow these steps:
a.
Click
Start, click Run, type cmd in the
Open box, and then click OK.
b.
Type
certutil, and then press ENTER.
c.
Make a note of the
Name value that belongs to your CA. You will need the CACommonName for later steps in this procedure.
2.
Click
Start, point to Administrative Tools, and then click
Active Directory Sites and Services.
3.
On the
View menu, click Show Services Node.
4.
Expand
Services, expand Public Key Services, and then click the
AIA folder.
5.
In the right pane, right-click the
CertificationAuthority object for your CA, click Delete, and then click
Yes.
6.
In the left pane of the Active Directory Sites and Services MMC snap-in, click the
CDP folder.
7.
In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click
Delete, and then click Yes two times.
8.
In the left pane of the Active Directory Sites and Services MMC snap-in, click the
Certification Authorities node.
9.
In the right pane, right-click the
CertificationAuthority object for your CA, click Delete, and then click
Yes.
10.
In the left pane of the Active Directory Sites and Services MMC snap-in, click the
Enrollment Services node.
11.
In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted,
right-click the object, click Delete, and then click Yes.
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 1:14pm