none
Will removal of Enterprice CA break AD replication between sites?

    Question

  • Hello.

    I have a AD environment that have a CA on a failing Domain Controller. This server is scheduled for decommission, and are running a CA for the Domain. This server has issued certificates to the domain controllers from the Domain Controllers template. 

    I have no other use for this CA other than for Domain Replication. Based on this I want to remove the CA role completely from the domain.

    If I follow this procedure:

    http://support.microsoft.com/kb/889250

    Will the domain replication break or still be in operation?

    Regards

    Tommy Rasmussen

    Monday, May 12, 2014 6:04 PM

Answers

  • The Domain Controller certificate template will only be used for replication among DCs only if SMTP is used as the replication protocol, as described in this technet page. Even if possible, SMTP-based replication has serious drawbacks as indicated here and most likely you don't have this implemented (best to check in AD Sites and Services though that you're using RPC over IP).
    Monday, May 12, 2014 7:57 PM
  • If you require certificates for AD e-mail replication I would not recommend this procedure as all certificates would be revoked following this checklist (step 1). If you decommission a PKI but want its certificates to remain valid you would not revoke the certificates but only create the long-lived CRL (steps 2 and 3). And you would need to make sure that new DCs get new certificates.

    Are you really using AD *e-mail* replication? I am just asking because I often DC certificates are deployed automatically but not actually really used. Certificates are not required for default AD replication.

    Assuming that certificates are required now (and will be required in the future) I would recommend instead:

    Option 1 - new PKI before retiring the old one.

    Configure a replacement PKI, make sure that the DC replication template is published at this CA, make all DCs get renewed certificates from the new CA, then decommission the old one.

    On principle, the existing CA could also be migrated to a new server with another name, but handling the CDP and AIA URLs gets a bit messy if the default names have been used when setting up this CA (as these point to the existing server or an LDAP object that has the same name as the existing server). So if the CA is only used for issuing DC certificates, I would rather create a new one.

    Option 2 - new PKI after retiring the old one.

    This would be an option if you don't plan to add new DCs soon:

    Make sure all DCs have valid certificates issued by the existing PKI. Issue the long-lived CRL but don't revoke the certificates. Uninstall the CA service - the objects required to validate certificates will remain in AD. Details may depend on customizations of the CDP and AIA URLs. If you used the default settings you might have also an HTTP URL pointing to the CA server itself - so the DNS record would need to point to a replacement server holding the CRL and CRT files.

    This would work as long as you don't need new certificates - thus as long as the existing ones are still valid and you don't join new DCs to the domain. So you should perhaps setup another CA in the next months.

    Elke

    Monday, May 12, 2014 8:02 PM

All replies

  • The Domain Controller certificate template will only be used for replication among DCs only if SMTP is used as the replication protocol, as described in this technet page. Even if possible, SMTP-based replication has serious drawbacks as indicated here and most likely you don't have this implemented (best to check in AD Sites and Services though that you're using RPC over IP).
    Monday, May 12, 2014 7:57 PM
  • If you require certificates for AD e-mail replication I would not recommend this procedure as all certificates would be revoked following this checklist (step 1). If you decommission a PKI but want its certificates to remain valid you would not revoke the certificates but only create the long-lived CRL (steps 2 and 3). And you would need to make sure that new DCs get new certificates.

    Are you really using AD *e-mail* replication? I am just asking because I often DC certificates are deployed automatically but not actually really used. Certificates are not required for default AD replication.

    Assuming that certificates are required now (and will be required in the future) I would recommend instead:

    Option 1 - new PKI before retiring the old one.

    Configure a replacement PKI, make sure that the DC replication template is published at this CA, make all DCs get renewed certificates from the new CA, then decommission the old one.

    On principle, the existing CA could also be migrated to a new server with another name, but handling the CDP and AIA URLs gets a bit messy if the default names have been used when setting up this CA (as these point to the existing server or an LDAP object that has the same name as the existing server). So if the CA is only used for issuing DC certificates, I would rather create a new one.

    Option 2 - new PKI after retiring the old one.

    This would be an option if you don't plan to add new DCs soon:

    Make sure all DCs have valid certificates issued by the existing PKI. Issue the long-lived CRL but don't revoke the certificates. Uninstall the CA service - the objects required to validate certificates will remain in AD. Details may depend on customizations of the CDP and AIA URLs. If you used the default settings you might have also an HTTP URL pointing to the CA server itself - so the DNS record would need to point to a replacement server holding the CRL and CRT files.

    This would work as long as you don't need new certificates - thus as long as the existing ones are still valid and you don't join new DCs to the domain. So you should perhaps setup another CA in the next months.

    Elke

    Monday, May 12, 2014 8:02 PM