0

I have inherited this system and I am looking at decommissioning this server 2008 R2 Domain Controller/ADCS Server. This role (ADCS) was never actively used by anyone. I believe, just because it was installed, that the member domain controllers have used it to create certificates. I have revoked all of the certificates that have expired under the "Issued Certificates" folder of the CA. There are 4 active certs here, one for each DC under the template "Domain Controller (DomainController)" and one for the CA under "CA Exchange (CAExchange)".

I have the private key backed up and I have the "ADCS Database" backed up to a folder. I have Full image backups of this server as well. I am looking to uninstall the ADCS service and dcpromo this server but I don't have a lot of experience and understanding on this to know if it is safe. I am using this removal guide but just want to ask the community if I have anything to worry about by revoking the DC and CA certs that are listed and following through with the removal of the ADCS Role.

darraisa
  • 5
  • 2

1 Answers1

1

There is nothing to add: just do it. CA seems to be unused, so there is no implications in removing it accordingly to referenced guide.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • So those certificates that the current DCs grabbed on to I don't really have to worry about. They'll use them until they expire and then just create new ones? – darraisa Mar 02 '21 at 02:28
  • DCs always grab their certificates, but actually used in two cases: smart card logon (not in use in your environment) and LDAPS (LDAP over SSL) which is unlikely used either. – Crypt32 Mar 02 '21 at 07:34