The basic run down is I didn't know what I was doing and I deleted a CA I stood up but I couldn't get to work properly. I know dumb. But that being said not much I can do about it now. I went through and attempted to remove all parts of it from AD and DC but "DCOM was unable to communicate with the computer SUBCA.xxxxxxx.org using any of the configured protocols." error gets thrown a couple times an hour. Some people have said to get it out of DNS so I went in and removed it from there. They keep coming. I am fresh out of idea. It is a 2008 R2 server virtual environment. Which is why it was so easy to delete and mess it all up. It doesn't seem to be causing any issues besides cluttering up my event log. If any one has any suggestions or you have ideas let me know thanks!
Asked
Active
Viewed 1,276 times
2
-
Which box is getting the error messages? You didn't explain that. Is it the DC, the old CA, etc.? – Brent Pabst Aug 09 '12 at 20:25
-
I get the error on the event log on the DC and the old CA which was deleted is unable to be reached by the DCOM. Sorry if I didn't explain it correctly and thanks for your help. – Tim Murphy Aug 09 '12 at 21:21
1 Answers
2
First of all, if it's not causing issues... you might want to leave it alone, or get someone more experienced (or naive enough not to know it's a pain in the ass) to do it. It's a pain in the ass to do right, and you can do damage to AD if you mess up.
Having said that, this is the Technet article on how to manually clean up a CA. It says 2000/2003 domain, but also works in a 2008 domain.
HopelessN00b
- 53,795
- 33
- 135
- 209
-
Well I have been working with my system engineer on it. He is very experienced but doesn't know what is causing the error. That is the article I used to clean up the CA. However, we are concerned of things to come. Usually windows throws these errors for a good reason. Thanks for your help – Tim Murphy Aug 10 '12 at 12:49
-
@TimMurphy Well, it sure *can* cause issues, and I just did this less than a month ago because it was causing issues in our environment - the clients were trying to retrieve certs from a defunct CA, causing network timeouts and sporadic auth problems with our WPA2-enterprise setup. In our case, it was a heavily utilized CA for many years, hence the problems caused by its absence. In your case, it doesn't sound like the dead CA actually did anything before you put it out of its misery, so it probably won't cause you any problems to just leave it alone. – HopelessN00b Aug 10 '12 at 13:35
-
Well it maybe causing issues. I am just not sure. I made the decision to move from a 2 tiered CA (the ones I deleted) to a single tier. The one I deleted did issue some certs (specifically made the DC a recovery agent and in to AD) However, now with the single tier I have a bunch of issues with my EFS system on a file share. I am not totally sure they are related but I would like to take this piece out of the equation. – Tim Murphy Aug 10 '12 at 14:44