Devin, That last KB should work just fine, but its OVERLY uptight. Existing certs wont hurt the laptops if they remain valid and if you don't have services that look at that CA, they aren't doing anything. With three clients revoking them and continuing to publish a CRL is no big deal, but with many it may become a troublesome un-needed effort.
I would create the GPO that assigns the new CA to the trusted authorities, re-create any policies and templates on the new CA (doesn't sound like you have many), and then finally alter any services that used those certs (RAS, IAS, etc). Then as long as no enterprise services depend on certificates from the old CA, uninstall cert services and decommission the machine. Good Luck Troy -----Original Message----- From: Devin Meade [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 12:20 PM To: NT System Admin Issues Subject: Two Enterprise Root CA's I posted this when NTSYSADMIN list was on spamcop and am reposting now... Group, We have two Enterprise Root CA's and need to remove one. The one I want to remove has only three computer certificates issued via an auto enrollment Group Policy, for VPN. After some googling, I see that I might be able to start the Cert Authority MMC on the bad CA, navigate to Certification Templates, then delete all of them. This should force the machines to renew them on the other root CA server. I ran certutil per http://support.microsoft.com/kb/555529 to find that I have two of these. Per http://forums.techarena.in/microsoft-security/934673.htm and http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/af6cb6614c34f88f/5414636b3d971257?hl=en&lnk=st&q=delete+%22enterprise+root+ca%22#5414636b3d971257 I can delete all templates and let them expire. This seems very heavy handed. Is this a safe way to proceed? This is an Enterprise Root CA for a 2003 Active Directory. I only have three certs to replace, I wonder if I can just revoke them one-by-one while I have the laptops in my possession, stop the cert service on the bad CA, then let the GPO issue a new computer cert on the good CA. Then after the three certs are reissued, uninstall Cert Services from the bad server (decomission it via http://support.microsoft.com/kb/889250). -Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
