Well, supposing the old CA is truly gone and lost... in this case I'd look at purging the old CA enrollment endpoint info from AD (see the technet article on migrating CA servers), setting up a new CA, and superseding whatever certificate templates the old CA probably published.
This is not a great place to be, as the certificate database is gone (so there's no solid list of the already-issued certs), you can't publish any new CRLs, etc., etc. Things will start to fail several months from now if the old CA has issued more certs than one can retroactively take stock of and these have not been replaced. I'd not suggest using the name of the old CA on its replacement; there is no way to rebuild it if the CA key or certificate database are lost. Do not put it on a DC if you can help it. DC certs are *mostly* used for LDAP/SSL, but might also be used for smartcard login and other purposes. You can learn the possible uses by examining the template As always, it is a good idea to read Brian Komar's book--it makes everything so much clearer. --Steve On Tue, Dec 11, 2012 at 4:49 PM, David Lum <david....@nwea.org> wrote: > Recap: 2003 DC (DC-SRV02) that was also a CA died a few days ago. Today I > stood up a new (2008 R2 ,2nd one in this domain) DC and it is getting these > errors: “Certificate enrollment for Local system failed to enroll for a > DomainController certificate with request ID N/A from DC-SRV02”. > > > > Is there any way to stand up a new CA and have the DC get a domain > controller cert from that? I’m thinking I’d like to separate the CA from the > DC functions. Is my only recourse to re-create the old CA server? This > environment is inherited, but I don’t recall in SMB environments with > multiple DC’s ever installing a certificate authority in the first place. > Part of it is I don’t fully know what Domain Controller certificates are > used for. > > David Lum > Sr. Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin