Amongst a bunch of server, I have a Windows 2003 server, domain controller, Enterprise CA installed, cannot start CA service, because "a required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file". Backing up CA and check issued certificates from the console does not work.
I have Windows 2012R2 server, domain controller, Standalone CA installed. CA Service running, i can see that there are no certificates under "issued certificates".
Probably (unfortunately I can't be sure) nobody has ever used those CAs. Nobody that I know of here has the skills (and needs) to use Enterprise CA, including me.
I can see in domain members that certificates from these CAs are put in "Trusted Root Certification Authorities/Certificates" but they are all expired except one: certroot.
Our targets are:
- get rid of Windows 2003 Enterprise CA and DC
- get rid of Windows 2012 Standalone CA (now optional, will be mandatory in the future)
- avoid any kind of service disruption due to CA removal
Questions are:
- Is it possible to remove Enterprise CA from this old 2003 even if the service is not starting?
- Is it safe to remove Enterprise CA in a prodution environment?
- Does the removal has any effect on clients operations like logins, network resources access like network shares and so on?
Any suggestion and/or advice is very welcome.
Thanks in advance
Best Answer
yes. Go to "Add or Remove Programs", then Add/Remove Windows Components and uninstall CA role from there. Follow the following guide to decommission Microsoft CA server: https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
in your case, yes.
in your case, no.