Click here to get back home

Certs for Domain Controllers-Trying to Prevent an Issue
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Certs for Domain Controllers-Trying to Prevent an Issue Christian 03-19-2008
Posted by Christian on March 19, 2008, 12:28 pm
Please log in for more thread options
 Reposting this issue. It was recommended that I post to this group from
someone in the AD group.

We have three DC's, all running Windows Server 2003 w/SP2. DC1 is unstable,
and needs to be demoted before there is a serious hardware failure. DC2 and
DC3 have been brought online, and all of the FSMO roles have been moved to
them. The one remaining issue is that DC1 issued the Domain Controller
certs to DC2 and DC3. No other certs in our environment where created by
DC1, just the Domain Controller certs for DC2 and DC3. What needs to be
done in order to allow the demotion of DC1 out of AD without affecting the
certs? This server will be salvaged after the demotion.

Thank you,

-Christian



Posted by Brian Komar \(MVP\) on March 20, 2008, 4:38 am
Please log in for more thread options
 Easiest would be to deploy a proper PKI (not piggy-backing a CA on a DC)
You can use certutil -dcinfo deleteALL to replace the certs after the new
PKI is deployed
You cannot restore the CA. If you read the installation warning, you cannot
change the domain or NetBIOS name of the CA after installing Cert Services

Brian
> Reposting this issue. It was recommended that I post to this group from
> someone in the AD group.
>
> We have three DC's, all running Windows Server 2003 w/SP2. DC1 is
> unstable,
> and needs to be demoted before there is a serious hardware failure. DC2
> and
> DC3 have been brought online, and all of the FSMO roles have been moved to
> them. The one remaining issue is that DC1 issued the Domain Controller
> certs to DC2 and DC3. No other certs in our environment where created by
> DC1, just the Domain Controller certs for DC2 and DC3. What needs to be
> done in order to allow the demotion of DC1 out of AD without affecting the
> certs? This server will be salvaged after the demotion.
>
> Thank you,
>
> -Christian
>


Posted by Jorge de Almeida Pinto [MVP - on March 20, 2008, 4:44 am
Please log in for more thread options
Hi Brian,

Just out of interest. I'm reading your w2k3 PKi book right now and like it
very much. Will there be a w2k8 version?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
> Easiest would be to deploy a proper PKI (not piggy-backing a CA on a DC)
> You can use certutil -dcinfo deleteALL to replace the certs after the new
> PKI is deployed
> You cannot restore the CA. If you read the installation warning, you
> cannot change the domain or NetBIOS name of the CA after installing Cert
> Services
>
> Brian
>> Reposting this issue. It was recommended that I post to this group from
>> someone in the AD group.
>>
>> We have three DC's, all running Windows Server 2003 w/SP2. DC1 is
>> unstable,
>> and needs to be demoted before there is a serious hardware failure. DC2
>> and
>> DC3 have been brought online, and all of the FSMO roles have been moved
>> to
>> them. The one remaining issue is that DC1 issued the Domain Controller
>> certs to DC2 and DC3. No other certs in our environment where created by
>> DC1, just the Domain Controller certs for DC2 and DC3. What needs to be
>> done in order to allow the demotion of DC1 out of AD without affecting
>> the
>> certs? This server will be salvaged after the demotion.
>>
>> Thank you,
>>
>> -Christian
>>
>


Posted by Brian Komar \(MVP\) on March 20, 2008, 11:04 am
Please log in for more thread options
Yes, I just finished the copy edits.
Should be out in a few months
Pre-orders are available at MSPress and Amazon
Brian

"Jorge de Almeida Pinto [MVP - DS]"
> Hi Brian,
>
> Just out of interest. I'm reading your w2k3 PKi book right now and like it
> very much. Will there be a w2k8 version?
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>
------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
>
------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
>
------------------------------------------------------------------------------------------
> #################################################
> #################################################
>
------------------------------------------------------------------------------------------
>> Easiest would be to deploy a proper PKI (not piggy-backing a CA on a DC)
>> You can use certutil -dcinfo deleteALL to replace the certs after the new
>> PKI is deployed
>> You cannot restore the CA. If you read the installation warning, you
>> cannot change the domain or NetBIOS name of the CA after installing Cert
>> Services
>>
>> Brian
>>> Reposting this issue. It was recommended that I post to this group from
>>> someone in the AD group.
>>>
>>> We have three DC's, all running Windows Server 2003 w/SP2. DC1 is
>>> unstable,
>>> and needs to be demoted before there is a serious hardware failure. DC2
>>> and
>>> DC3 have been brought online, and all of the FSMO roles have been moved
>>> to
>>> them. The one remaining issue is that DC1 issued the Domain Controller
>>> certs to DC2 and DC3. No other certs in our environment where created
>>> by
>>> DC1, just the Domain Controller certs for DC2 and DC3. What needs to be
>>> done in order to allow the demotion of DC1 out of AD without affecting
>>> the
>>> certs? This server will be salvaged after the demotion.
>>>
>>> Thank you,
>>>
>>> -Christian
>>>
>>
>


Posted by Paul Adare on March 20, 2008, 11:07 am
Please log in for more thread options
On Thu, 20 Mar 2008 09:44:15 +0100, Jorge de Almeida Pinto [MVP - DS]
wrote:

> Just out of interest. I'm reading your w2k3 PKi book right now and like it
> very much. Will there be a w2k8 version?

It is in progress right now. Brian's writing it and I'm tech editing it.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Creativity is great, but plagiarism is faster!

Similar ThreadsPosted
Child domain laptops autoenrolling user certs but not computer certs May 21, 2008, 4:19 pm
Certs in non-domain environment: January 24, 2008, 12:51 pm
Demote first DC in a Windows 2003 domain. What happens to the certs? March 3, 2008, 10:43 pm
Problem with Machine Certs being used as User Certs June 15, 2005, 7:06 am
Issue cert to member of untrusted domain January 28, 2006, 9:31 am
prevent access to shared folder when not on a domain computer July 11, 2005, 8:50 pm
Prevent access to server for computers not part of domain January 22, 2007, 11:56 pm
Self-signed certs for FTP October 10, 2006, 7:07 pm
CA configuration to publish certs in AD October 2, 2006, 9:42 am
GPO for trusted root CA certs November 7, 2006, 8:12 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap