Remove CA
I have been going through removing an enterprise CA on my test domain using kb889250, and have a few questions.
1. in step 7 neither of the commands work. all I get is the help information. Is this step necessary? I have read other documents that say the NTAuthCertificates object should not be removed. If this is necessary what is the correct syntax?
2. in step 9, should this action be run on each domain controller or can it be run on one domain controller and the other domain controllers will be taken care of? If this step must be done on all domain controllers separately, then how do you do it
on a Server 2008 domain controller?
June 23rd, 2011 9:13pm
On Thu, 23 Jun 2011 18:13:56 +0000, zeb2100 wrote:
1. in step 7 neither of the commands work. all I get is the help information.? Is this step necessary?? I have read other documents that say the NTAuthCertificates object should not be removed.? If this is necessary what is the correct syntax?
Firstly, this command does not delete the NTAuthCertificates object, it
deletes any certificates in that store.
Secondly, if all you're getting is help on the option then you've got a
syntax error in the command. You need to ensure that:
1. You change the LDAP path correctly to match your particular environment.
2. If you are copying and pasting the command from the web page, then
before executing the command, edit the resulting command line, replacing
any "-" or quotation marks in the command line. Quite frequently when
command lines get posted to a web site, they wind up with the wrong type of
"-" (and yes, there are different "-" characters in typesetting, they have
different names and different lengths, and commands run at a command line
are particular about using the correct "-"
http://www.grammarbook.com/punctuation/dashes.asp).
2. in step 9, should this action be run on each domain controller or can it be run on one domain controller and the other domain controllers will be taken care of?? If this step must be done on all domain controllers separately, then how do you do it on
a Server 2008 domain controller?
You only need to run it on a single DC and the 2003 instructions are
applicable to 2008 and 2008 R2 as well though if you have a mix of
2008/2008R2 and 2003 DCs I'm not 100% that the version of certutil on the
2003 DC will delete the 2008/2008R2 DC certificates, never tried that.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
No program done by a hacker will work unless he is on the system.
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2011 11:47am
Ok I typed the command in exactly from what was in the KB article. I do not know very much about ldap, so I am not sure what the correct path would be. Can you give me an example? Also, this is a necessary step then? Thanks.
June 24th, 2011 6:07pm
Can anyone help me with this?
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 7:58pm