Certificate Authority Server Gone

G

Guest

We have a Windows 2000 Active Directory with 3 DCs.
A while back the DCs were replaced, all of the FSMOs were moved to the new
DCs and the 2 DCs were removed.
In the event logs we get an Event ID 1010 "Automatic enrollment against the
certification authority "MY_DOMAIN_NAME" for a certificate of type
DomainController has failed. "
I assuming that the Certificate for our domain was not moved before the DCs
were taken offline. Is this something that needs to be addressed?
Can we create a new one without any impact to our Active Directory?
Thanks
 
P

Paul Bergson

Did you ever have a (Certificate Authority) CA in your domain? One isn't
needed but believe (Going on memory) that once a CA is introduced into your
AD, AD know longer generates them but looks to get them from the CA.

http://support.microsoft.com/default.aspx?scid=kb;en-us;231182

http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc

If you are missing your CA and you can re-introduce it, you can manually
re-request it for your DC. Just go into the local computer certificates mmc
and re-request.
 
G

Guest

This was installed before I arrived, the people who did this no longer work
here. There was definaltely a Certificate Server setup on the old DC but I'm
not sure what they were going to use it for. But we noticed it because of the
errors in our event log.
We would like to upgrade to Windows 2003 but am not sure we can without the
CA, or if we tried what the impact would be. The person i work with suggested
creating a new AD domain then migrating everything and everyone to that new
domain since we have "lost" the CA but I'm hoping to avoid something like
that.
Is AD dependent on the CA or is there a way to find out if it is?
Thanks for your help.
 
P

Paul Bergson

I ran into a similar problem but it was in a test domain and I just built
the CA from production. You are in a different boat completely.

For starters I would review this, I THINK (Read think) this will do it for
you. Also read the last line of this note "AS IS." This is a point where
you should give contacting PSS a thought if you at all are concerned on
dorking up your AD.

http://support.microsoft.com/default.aspx?scid=kb;en-us;889250

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Certificate Server Problems 1
Certificates (CA) error 1
Certificate Services 2
Certification Problem 2
AD restore test didn't work at all 2
problem with a DC 2
Help: One and only global catalog DC down. 5 FSMO on 1st site DC working. 14
event ID: 1010 1

Top