Removing the Deprecated CA and related PKI objects from Active Directory.You have backed up Active Directory using a System State backup or other approved backup method.The user removing the PKI objects must be a member of the Enterprise Admins group.The machine must be a member of the Active Directory forest that hosts the CA.Pre-requisitesĪccess to a machine that has the Active Directory Certificate Services (ADCS) Remote Server Administration Tools (RSAT) Also, keep in mind that since this is an Active Directory change so it will need to replicate to every DC in the forest which depending on your replication convergence time may take a while. This means that it will require that the user that will be removing the PKI objects from Active Directory must be a member of the Enterprise Admins group. Hence, these objects are replicated to every Domain Controller in the forest. The PKI objects exist in the Configuration partition of Active Directory. It is extremely important to note that you should not do this unless you are 100% certain that you are no longer going to use the Certification Authority or any certificates that have been issued from that Certification Authority. This posting will cover how you can remove the CA and PKI objects from Active Directory In those cases you can manually remove the PKI objects from Active Directory. Sometimes some of those CAs may no longer exist in the environment or you had some problems removing the CA from Active Directory. Sometimes if you are new to an environment or exploting PKI for the first time you may realize that you have Certification Authorities that are populated in Active Directory. If you choose to follow the steps outlined in this or other blog postings on this site, you are assuming the risk for your actions. By writing this blog I am in no way recommending that you perform these steps in your own environment. It is recommended that you contact Microsoft Support prior to making changes in your environment to ensure that these steps are applicable to your environment, and are safe to perform in your environment. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment or are even safe to perform in your environment. In other words, these postings are for demonstration purposes only. I am writing this blog and others to explain how things work and some ways deployment and operational tasks can be handled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |