0

Backstory

Long ago, an MSP:

  1. Originally, setup Windows SBS 2003 which was probably the DC and root CA.
  2. Presumably much later, setup Windows Server 2008 R2 as a DC and decommissioned Windows SBS 2003 but didn't seem to do a thorough job because the computer account still existed, only the domain functional level was elevated, etc and, apparently, the root CA wasn't migrated.

Long after, we took over the IT support and setup Windows Server 2016 as a second, additional DC.

 

Problem

On the Windows Server 2008 R2 DC, LDAPS fails to connect with error <0x51> and 81 seemingly because, according to MMC | Certificates (Local Computer):

  1. It doesn't have an AD CS-issued certificate installed.
  2. It doesn't have AD's root CA certificate installed (there is a root CA certificate installed but only on pre-existing servers and it's issued by and to <organisation name> CA, rather than the standard <NetBIOS domain name>-<CA hostname>-CA).

 

Question(s)

How can we replace the decommissioned Windows SBS 2003 root CA?

If I promote the Windows Server 2016 to an Enterprise Certificate Authority, what will happen to the current certificates? Will they continue to work because AD's old root CA certificates are still installed on each computer (in theory)?

mythofechelon
  • 905
  • 3
  • 24
  • 42
  • Don't install certificate services on a domain controller. If you only need secure LDAP for one server, acquire a certificate from a public certificate authority. – Greg Askew May 23 '17 at 12:28
  • The LDAPS error is what led me to discover that AD DS in general is broken. Also, would that work even though AD's DNS domain name doesn't use an Internet TLD? – mythofechelon May 23 '17 at 12:43
  • Some authorities have private CA's that can issue a certificate for non-public TLD's. http://www.symantec.com/private-ssl/ – Greg Askew May 23 '17 at 12:56

1 Answers1

0

I did so and there were no problems.

mythofechelon
  • 905
  • 3
  • 24
  • 42