No announcement yet.

Question about domain certificates

  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about domain certificates

    All - sorry for the long post,

    I am getting ready to replace some old DCs with new ones. I will do the demotion/promotion but my question concerns certificates. I have 2 domain controllers and those will be replaced by 2 new ones. I have certificates from the old servers that I have used in my internal domain and one was the CA.

    If these are removed from the domain, will the certificates continue to function properly on the servers? I assume that once the certificates have been issued, there really isn't any kind of verification with the DCs/CA - is this correct?

    I use these certificates for internal websites that I need to encrypt using SSL and if I remember correctly, I may have deployed one to our OWA and ISA server for internal communication (the outside connection for ISA has a purchased certificate).

    I actually went to install certificate services on one of the new domain controllers and I have some additional concerns. When I go to install certificate services on the new domain controller, I get the following message:

    "After installing Certificate Services, the machine name and domain membership may not be changed due to the binding of the machine name to CA information stored in the Active Directory. Changing the machine name or domain membership would invalidate the certificates issued from the CA. Please ensure the proper machine name and domain membership are configured before installing Certificate Services. Do you want to continue?"

    This seems to suggest that demoting or removing the old DC would invalidate those certificates. The continued functionality of those certificates is critical to our daily operations so I must be sure that they will continue to work.

    Also, one of the old DCs is the root CA. I need to install certificate services on the new DCs so that they can take over for the old ones.

    I get several options when I go to install that service on the new DC. I can install it as an Enterprise root CA or Enterprise subordinate CA. I don't think I want it to be a subordinate because when the old DC goes away, there will be no root.

    Can you have more than one Enterprise root CA or just one? Thanks for any help.

  • #2
    Re: Question about domain certificates

    This may be it: