Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remove Failed Enterprise CA from AD?

Status
Not open for further replies.
ADB100

ADB100

Technical User
Mar 25, 2003
2,399
GB
I have an old (old..) server running 2003 R2 as a Member Server that is an Enterprise CA for a domain. The server is so old it has eventually died and I don't have a backup - I know, I know, it should have been backed up and then I wouldn't have been in this situation, however it wasn't and I am :eek:(

I have other hardware (or a VM) that I can create another Enterprise CA on and I know how to do this (the install that is). The problem is I can't de-install the old server as it has died so I can't uninstall Certificate Services from it, which I assume will do other stuff to remove it from AD as well?
I have searched and found some guides on how to decommission a CA from AD ( however I need to do this without access to the original server. Does anyone have a guide or any tips on how to remove everything from AD? There are only a handful of servers/workstations in this domain so manually removing certificates won't be a big job.

Thanks

Andy
 
Sort by date Sort by votes
In the doc, there is:
The Certutil.exe utility
The Windows Server 2003 version of the Certutil.exe utility can be used to remove both Windows Server 2003 and Windows 2000 CAs from Active Directory. To remove a CA from Active Directory, type the following at a command prompt:
certutil -dsdel CA Name
In this example, the CA name is Windows2000 Enterprise Root CA. Therefore, the command line in this example is the following:
certutil -dsdel "Windows2000 Enterprise Root CA"

Will this work? I wonder. Anybody confirm?
 
Upvote 0 Downvote
Since this is only a small domain I bit the bullet and had a play around earlier. I hadn't actually seen the replies but managed to follow a similar approach to KB555151. The new CA is now in place and I have manually removed all the auto-enrolled Machine & User certificates. I also have SCEP running and a few Cisco routers, pix firewalls and AP's to enroll for new certificates.
One thing I haven't done is rebooted the DC, however it looks OK.

Thanks for the replies

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
626
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
255
DrB0b
DrB0b
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
434
fightaccording
fightaccording
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
715
goombawaho
goombawaho
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
413
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top