Certificate Authority Servers Cannot Be Renamed or Removed from Network

Article translations Article translations
Article ID: 231182 - View products that this article applies to.
This article was previously published under Q231182
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Symptoms

A Windows 2000 server functioning as the Certificate Authority (CA) server cannot be renamed, or the certificates that it has granted become invalid. This includes both Enterprise CAs and stand-alone CAs.

Enterprise CA servers are domain controllers or member servers that use DNS and Active Directory to store their certificate information for replication to other domain controllers. The Enterprise Root CA and Enterprise Subordinate CAs under the Root CA must not change their names, or the certificates throughout the enterprise will not be able to be validated back to the root.

Cause

The name of the CA server is bound to the certificates that the CA has issued. Therefore, the server name cannot be changed without revoking all certificates.

Resolution

Before implementing a CA server, plan factors such as organization naming schemes and future requirements for subordinate CAs so the CA hierarchy can be a part of the naming scheme.

Back up the certificates by using the Certificate Services Backup feature. They can be restored at a later time.

In case of disaster recovery, restore the backup tape to a server with identical hardware. When the Certificate service starts with the proper registry entries in place from the tape backup, the certificates will still be valid on the network.

Status

This behavior is by design.

More information

Local CA servers hold their information locally, use local policies, and store certificate information in a local database. Therefore, the CA is more than just having a server of the same name on the network for Certificate Authority. Performing regular tape backups of the server is a reliable way of being able to restore the CA without losing all certificates.

Properties

Article ID: 231182 - Last Review: October 26, 2013 - Revision: 3.0
Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbnosurvey kbarchive kbenv kbprb KB231182

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com