Is it possible to cleanly decommission Windows CA?
So, I have a pain point I am currently dealing with. I joined the company I am with after the AD environment had already been established. There was a fair amount of turnover before I joined and part of that was that the previous System Admins were not thorough with documentation and they did things on a whim. To that, when I joined the PDC was also a CA that, as far as I could tell, was not actively being used by any systems other than the DCs to issue certs. The running theory is that the previous system admins were planning to use CA to do 802.1x type security for Wifi and VPN but never got around to completing the setup.
Obviously, it was not great that they installed the CA role onto the PDC. But I have since corrected that. I was able to extract the CA role and migrate it to a different server and I can see that it is able to issues certs to the DCs. (Looks like it has only issued Kerberos Authentication, DC Authentication, and Directory Email Replication certs since being migrated, and only on DCs). However, I don’t want the CA role around at all because it is one more server we have to maintain and we are not using it in any meaningful way.
I know there is documentation on how to actually decommission a CA from the network (How to decommission a Windows enterprise certification authority and remove all related objects ) but my question is; should/can I decommission it? Throughout my career, every time I have talked to another System Admin or gone through any training, I have always heard that I need to be extremely careful when deciding to add a CA role to a windows network. Because once it is established and issuing certs, it becomes next to impossible to fully/safely remove. Is that the case? Has anyone successfully removed a CA from their windows domain without breaking everything?
So, I have a pain point I am currently dealing with. I joined the company I am with after the AD environment had already been established. There was a fair amount of turnover before I joined and part of that was that the previous System Admins were not thorough with documentation and they did things on a whim. To that, when I joined the PDC was also a CA that, as far as I could tell, was not actively being used by any systems other than the DCs to issue certs. The running theory is that the previous system admins were planning to use CA to do 802.1x type security for Wifi and VPN but never got around to completing the setup. Obviously, it was not great that they installed the CA role onto the PDC. But I have since corrected that. I was able to extract the CA role and migrate it to a different server and I can see that it is able to issues certs to the DCs. (Looks like it has only issued Kerberos Authentication, DC Authentication, and Directory Email Replication certs since being migrated, and only on DCs). However, I don’t want the CA role around at all because it is one more server we have to maintain and we are not using it in any meaningful way. I know there is documentation on how to actually decommission a CA from the network (How to decommission a Windows enterprise certification authority and remove all related objects ) but my question is; should/can I decommission it? Throughout my career, every time I have talked to another System Admin or gone through any training, I have always heard that I need to be extremely careful when deciding to add a CA role to a windows network. Because once it is established and issuing certs, it becomes next to impossible to fully/safely remove. Is that the case? Has anyone successfully removed a CA from their windows domain without breaking everything? Read More
