Well, supposing the old CA is truly gone and lost... in this case I'd
look at purging the old CA enrollment endpoint info from AD (see the
technet article on migrating CA servers), setting up a new CA, and
superseding whatever certificate templates the old CA probably
published.

This is not a great place to be, as the certificate database is gone
(so there's no solid list of the already-issued certs), you can't
publish any new CRLs, etc., etc.  Things will start to fail several
months from now if the old CA has issued more certs than one can
retroactively take stock of and these have not been replaced.

I'd not suggest using the name of the old CA on its replacement; there
is no way to rebuild it if the CA key or certificate database are
lost.  Do not put it on a DC if you can help it.

DC certs are *mostly* used for LDAP/SSL, but might also be used for
smartcard login and other purposes.  You can learn the possible uses
by examining the template

As always, it is a good idea to read Brian Komar's book--it makes
everything so much clearer.

--Steve

On Tue, Dec 11, 2012 at 4:49 PM, David Lum <david....@nwea.org> wrote:
> Recap: 2003 DC (DC-SRV02) that was also a CA died a few days ago. Today I
> stood up a new (2008 R2 ,2nd one in this domain) DC and it is getting these
> errors: “Certificate enrollment for Local system failed to enroll for a
> DomainController certificate with request ID N/A from DC-SRV02”.
>
>
>
> Is there any way to stand up a new CA and have the DC get a domain
> controller cert from that? I’m thinking I’d like to separate the CA from the
> DC functions. Is my only recourse to re-create the old CA server? This
> environment is inherited, but I don’t recall in SMB environments with
> multiple DC’s ever installing a certificate authority in the first place.
> Part of it is I don’t fully know what Domain Controller certificates are
> used for.
>
> David Lum
> Sr. Systems Engineer // NWEATM
> Office 503.548.5229 // Cell (voice/text) 503.267.9764
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Reply via email to