How to remove manually Enterprise Windows Certificate Authority from Windows 2000/2003 Domain

Article translations Article translations
Article ID: 555151 - View products that this article applies to.
Author: Yuval Sinay MVP
Expand all | Collapse all

SYMPTOMS

In some organizations, there regular backup procedure for Enterprise Windows Certificate Authority. In case of server problem (software/hardware) there may need to reinstall the Enterprise Windows Certificate Authority. Before you can reinstall the Enterprise Windows Certificate Authority, you may need to delete manually objects and data that belong to the original Enterprise Windows and reside in the Windows Active Directory.

CAUSE

Enterprise Windows Certificate Authority save the configurations settings and data in the Windows Active Directory.

RESOLUTION

A. Backup:
 
It's recommend that you backup all the nodes that contain active directory related data: Windows Domain Controllers, Exchange Servers, Active Directory Connector, Windows Server with Services for Unix, ISA Server Enterprise, Enterprise Windows Certificate Authority - before and after you following this procedure .
 
The following procedure should be use as last resort and may impact on your production environment and may require to reboot some nodes/services.
 
 
B. Active Directory Clean:
 
Note:  Please logon into the system with account that have the permissions bellow:
 
       1. Enterprise Administrator
       2. Domain Administrator
       3. Certificate Authority Administrator
       4. Schema Administrator (The server that function as Schema Master FSMO should be online during the process).
 
To remove all Certification Services objects from Active Directory:
 
1.Start "Active Directory Sites and Services".
 
2.Click the "View" menu option, and select "Show Services" Node.
 
3.Expand the "Services", and then expand "Public Key Services".
 
4.Select the "AIA" node.
 
5.In the right-hand pane, locate the "certificateAuthority" object for your Certification Authority. Delete the object.
 
6.Select the "CDP" node.
 
7.In the right-hand pane, locate the Container object for the server where Certification Services is installed. Delete the container and the objects it contains.
 
8.Select the "Certification Authorities" node.
 
9.In the right-hand pane, locate the "certificateAuthority" object for your Certification Authority. Delete the object.
 
10.Select the "Enrollment Services" node.
 
11.In the right-hand pane, verify that the "pKIEnrollmentService" object for your Certification Authority,delete it.
 
12.Select the "Certificate Templates" node.
 
13.In the right-hand pane, delete all the Certificate Templates.
 
       Note: Delete all the Certificate Templates only if no other Enterprise CAs are installed in the forest. If the templates are inadvertently deleted, restore the
                 templates from backup.
 
14.Click the "Public key Services" node and locate the "NTAuthCertificates" object.
 
15.If there are no other Enterprise or Stand-alone CAs installed in the forest, delete the object, otherwise leave it alone.
 
16. Use "Active Directory Sites and Services" or "Repadmin" command from the Windows resource kit to force replication
         to the other domain controllers in the domain/forest.
 
 
Domain Controller Cleanup
 
Once the CA has been taken down, the certificates that have been issued to all the domain controllers need to be removed. This can be done quite easily using DSSTORE.EXE from the Resource Kit:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;264178&sd=tech
 
 
You can also remove old domain controller certificates by using "certutil" command:
 
1. At the command prompt on a domain controller, type:
 
      "certutil -dcinfo deleteBad"

 
2.Certutil.exe will attempt to validate all the DC certificates issued to the domain controllers. Certificates that fail to validate will be removed.
    At this point, you can reinstall Certificate Services. After the installation is finished, the new root certificate will be published to Active Directory. When the domain  
    clients refresh their security policy, they will automatically download the new root certificate into their trusted root stores.
    To force application of the security policy.
 
3. At the command prompt, type
 
    "gpupdate /target:computer"

 
Note: If the Enterprise Windows Certificate Authority published computer/user certificate or other types of certificates (Web Server Certificate etc.), it recommend that
           you remove the old certificates before you reinstall the Enterprise Windows Certificate.
 

MORE INFORMATION

PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
 
Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx

Properties

Article ID: 555151 - Last Review: June 29, 2004 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Exchange Server 2003 Enterprise Edition
Keywords: 
kbpubtypecca kbpubmvp kbhowto KB555151
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com