Certificate Authority Server Gone

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have a Windows 2000 Active Directory with 3 DCs.
A while back the DCs were replaced, all of the FSMOs were moved to the new
DCs and the 2 DCs were removed.
In the event logs we get an Event ID 1010 "Automatic enrollment against the
certification authority "MY_DOMAIN_NAME" for a certificate of type
DomainController has failed. "
I assuming that the Certificate for our domain was not moved before the DCs
were taken offline. Is this something that needs to be addressed?
Can we create a new one without any impact to our Active Directory?
Thanks
3 answers Last reply
More about certificate authority server gone
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Did you ever have a (Certificate Authority) CA in your domain? One isn't
    needed but believe (Going on memory) that once a CA is introduced into your
    AD, AD know longer generates them but looks to get them from the CA.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;231182

    http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc

    If you are missing your CA and you can re-introduce it, you can manually
    re-request it for your DC. Just go into the local computer certificates mmc
    and re-request.

    --

    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "John" <John@discussions.microsoft.com> wrote in message
    news:6BCF0FEE-701B-4A49-A3D0-EFBB1290E87A@microsoft.com...
    > We have a Windows 2000 Active Directory with 3 DCs.
    > A while back the DCs were replaced, all of the FSMOs were moved to the new
    > DCs and the 2 DCs were removed.
    > In the event logs we get an Event ID 1010 "Automatic enrollment against
    the
    > certification authority "MY_DOMAIN_NAME" for a certificate of type
    > DomainController has failed. "
    > I assuming that the Certificate for our domain was not moved before the
    DCs
    > were taken offline. Is this something that needs to be addressed?
    > Can we create a new one without any impact to our Active Directory?
    > Thanks
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    This was installed before I arrived, the people who did this no longer work
    here. There was definaltely a Certificate Server setup on the old DC but I'm
    not sure what they were going to use it for. But we noticed it because of the
    errors in our event log.
    We would like to upgrade to Windows 2003 but am not sure we can without the
    CA, or if we tried what the impact would be. The person i work with suggested
    creating a new AD domain then migrating everything and everyone to that new
    domain since we have "lost" the CA but I'm hoping to avoid something like
    that.
    Is AD dependent on the CA or is there a way to find out if it is?
    Thanks for your help.

    "Paul Bergson" wrote:

    > Did you ever have a (Certificate Authority) CA in your domain? One isn't
    > needed but believe (Going on memory) that once a CA is introduced into your
    > AD, AD know longer generates them but looks to get them from the CA.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;231182
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc
    >
    > If you are missing your CA and you can re-introduce it, you can manually
    > re-request it for your DC. Just go into the local computer certificates mmc
    > and re-request.
    >
    > --
    >
    > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    > "John" <John@discussions.microsoft.com> wrote in message
    > news:6BCF0FEE-701B-4A49-A3D0-EFBB1290E87A@microsoft.com...
    > > We have a Windows 2000 Active Directory with 3 DCs.
    > > A while back the DCs were replaced, all of the FSMOs were moved to the new
    > > DCs and the 2 DCs were removed.
    > > In the event logs we get an Event ID 1010 "Automatic enrollment against
    > the
    > > certification authority "MY_DOMAIN_NAME" for a certificate of type
    > > DomainController has failed. "
    > > I assuming that the Certificate for our domain was not moved before the
    > DCs
    > > were taken offline. Is this something that needs to be addressed?
    > > Can we create a new one without any impact to our Active Directory?
    > > Thanks
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I ran into a similar problem but it was in a test domain and I just built
    the CA from production. You are in a different boat completely.

    For starters I would review this, I THINK (Read think) this will do it for
    you. Also read the last line of this note "AS IS." This is a point where
    you should give contacting PSS a thought if you at all are concerned on
    dorking up your AD.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;889250

    --

    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "John" <John@discussions.microsoft.com> wrote in message
    news:86B42ED8-BD6F-4428-BA90-9FD7B2350DF8@microsoft.com...
    > This was installed before I arrived, the people who did this no longer
    work
    > here. There was definaltely a Certificate Server setup on the old DC but
    I'm
    > not sure what they were going to use it for. But we noticed it because of
    the
    > errors in our event log.
    > We would like to upgrade to Windows 2003 but am not sure we can without
    the
    > CA, or if we tried what the impact would be. The person i work with
    suggested
    > creating a new AD domain then migrating everything and everyone to that
    new
    > domain since we have "lost" the CA but I'm hoping to avoid something like
    > that.
    > Is AD dependent on the CA or is there a way to find out if it is?
    > Thanks for your help.
    >
    > "Paul Bergson" wrote:
    >
    > > Did you ever have a (Certificate Authority) CA in your domain? One
    isn't
    > > needed but believe (Going on memory) that once a CA is introduced into
    your
    > > AD, AD know longer generates them but looks to get them from the CA.
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;231182
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;298138#toc
    > >
    > > If you are missing your CA and you can re-introduce it, you can manually
    > > re-request it for your DC. Just go into the local computer certificates
    mmc
    > > and re-request.
    > >
    > > --
    > >
    > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
    > >
    > > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    > >
    > >
    > >
    > > "John" <John@discussions.microsoft.com> wrote in message
    > > news:6BCF0FEE-701B-4A49-A3D0-EFBB1290E87A@microsoft.com...
    > > > We have a Windows 2000 Active Directory with 3 DCs.
    > > > A while back the DCs were replaced, all of the FSMOs were moved to the
    new
    > > > DCs and the 2 DCs were removed.
    > > > In the event logs we get an Event ID 1010 "Automatic enrollment
    against
    > > the
    > > > certification authority "MY_DOMAIN_NAME" for a certificate of type
    > > > DomainController has failed. "
    > > > I assuming that the Certificate for our domain was not moved before
    the
    > > DCs
    > > > were taken offline. Is this something that needs to be addressed?
    > > > Can we create a new one without any impact to our Active Directory?
    > > > Thanks
    > >
    > >
    > >
Ask a new question

Read More

Certificate Active Directory Windows