Sign in with
Sign up | Sign in
Your question

Certificate Authority Server Gone

Last response: in Windows 2000/NT
Share
February 28, 2005 8:29:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have a Windows 2000 Active Directory with 3 DCs.
A while back the DCs were replaced, all of the FSMOs were moved to the new
DCs and the 2 DCs were removed.
In the event logs we get an Event ID 1010 "Automatic enrollment against the
certification authority "MY_DOMAIN_NAME" for a certificate of type
DomainController has failed. "
I assuming that the Certificate for our domain was not moved before the DCs
were taken offline. Is this something that needs to be addressed?
Can we create a new one without any impact to our Active Directory?
Thanks
Anonymous
March 2, 2005 11:00:51 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Did you ever have a (Certificate Authority) CA in your domain? One isn't
needed but believe (Going on memory) that once a CA is introduced into your
AD, AD know longer generates them but looks to get them from the CA.

http://support.microsoft.com/default.aspx?scid=kb;en-us;231182

http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc

If you are missing your CA and you can re-introduce it, you can manually
re-request it for your DC. Just go into the local computer certificates mmc
and re-request.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"John" <John@discussions.microsoft.com> wrote in message
news:6BCF0FEE-701B-4A49-A3D0-EFBB1290E87A@microsoft.com...
> We have a Windows 2000 Active Directory with 3 DCs.
> A while back the DCs were replaced, all of the FSMOs were moved to the new
> DCs and the 2 DCs were removed.
> In the event logs we get an Event ID 1010 "Automatic enrollment against
the
> certification authority "MY_DOMAIN_NAME" for a certificate of type
> DomainController has failed. "
> I assuming that the Certificate for our domain was not moved before the
DCs
> were taken offline. Is this something that needs to be addressed?
> Can we create a new one without any impact to our Active Directory?
> Thanks
March 2, 2005 8:01:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

This was installed before I arrived, the people who did this no longer work
here. There was definaltely a Certificate Server setup on the old DC but I'm
not sure what they were going to use it for. But we noticed it because of the
errors in our event log.
We would like to upgrade to Windows 2003 but am not sure we can without the
CA, or if we tried what the impact would be. The person i work with suggested
creating a new AD domain then migrating everything and everyone to that new
domain since we have "lost" the CA but I'm hoping to avoid something like
that.
Is AD dependent on the CA or is there a way to find out if it is?
Thanks for your help.

"Paul Bergson" wrote:

> Did you ever have a (Certificate Authority) CA in your domain? One isn't
> needed but believe (Going on memory) that once a CA is introduced into your
> AD, AD know longer generates them but looks to get them from the CA.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;231182
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc
>
> If you are missing your CA and you can re-introduce it, you can manually
> re-request it for your DC. Just go into the local computer certificates mmc
> and re-request.
>
> --
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> "John" <John@discussions.microsoft.com> wrote in message
> news:6BCF0FEE-701B-4A49-A3D0-EFBB1290E87A@microsoft.com...
> > We have a Windows 2000 Active Directory with 3 DCs.
> > A while back the DCs were replaced, all of the FSMOs were moved to the new
> > DCs and the 2 DCs were removed.
> > In the event logs we get an Event ID 1010 "Automatic enrollment against
> the
> > certification authority "MY_DOMAIN_NAME" for a certificate of type
> > DomainController has failed. "
> > I assuming that the Certificate for our domain was not moved before the
> DCs
> > were taken offline. Is this something that needs to be addressed?
> > Can we create a new one without any impact to our Active Directory?
> > Thanks
>
>
>
Anonymous
March 3, 2005 3:04:45 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I ran into a similar problem but it was in a test domain and I just built
the CA from production. You are in a different boat completely.

For starters I would review this, I THINK (Read think) this will do it for
you. Also read the last line of this note "AS IS." This is a point where
you should give contacting PSS a thought if you at all are concerned on
dorking up your AD.

http://support.microsoft.com/default.aspx?scid=kb;en-us;889250

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"John" <John@discussions.microsoft.com> wrote in message
news:86B42ED8-BD6F-4428-BA90-9FD7B2350DF8@microsoft.com...
> This was installed before I arrived, the people who did this no longer
work
> here. There was definaltely a Certificate Server setup on the old DC but
I'm
> not sure what they were going to use it for. But we noticed it because of
the
> errors in our event log.
> We would like to upgrade to Windows 2003 but am not sure we can without
the
> CA, or if we tried what the impact would be. The person i work with
suggested
> creating a new AD domain then migrating everything and everyone to that
new
> domain since we have "lost" the CA but I'm hoping to avoid something like
> that.
> Is AD dependent on the CA or is there a way to find out if it is?
> Thanks for your help.
>
> "Paul Bergson" wrote:
>
> > Did you ever have a (Certificate Authority) CA in your domain? One
isn't
> > needed but believe (Going on memory) that once a CA is introduced into
your
> > AD, AD know longer generates them but looks to get them from the CA.
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;231182
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc
> >
> > If you are missing your CA and you can re-introduce it, you can manually
> > re-request it for your DC. Just go into the local computer certificates
mmc
> > and re-request.
> >
> > --
> >
> > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
> >
> > "John" <John@discussions.microsoft.com> wrote in message
> > news:6BCF0FEE-701B-4A49-A3D0-EFBB1290E87A@microsoft.com...
> > > We have a Windows 2000 Active Directory with 3 DCs.
> > > A while back the DCs were replaced, all of the FSMOs were moved to the
new
> > > DCs and the 2 DCs were removed.
> > > In the event logs we get an Event ID 1010 "Automatic enrollment
against
> > the
> > > certification authority "MY_DOMAIN_NAME" for a certificate of type
> > > DomainController has failed. "
> > > I assuming that the Certificate for our domain was not moved before
the
> > DCs
> > > were taken offline. Is this something that needs to be addressed?
> > > Can we create a new one without any impact to our Active Directory?
> > > Thanks
> >
> >
> >
!