I inherited a setup where a previous admin installed a root CA on a domain-joined member server, but from what I see, they didn't configure much beyond that. It's only auto-issuing certificates to our domain controllers, and nothing else is utilizing those certificates—no LDAPS or additional services. I'm considering whether to tear this setup down and set up a standalone root CA that I can power off, moving toward a two-tier model. Can I revoke or simply abandon the certificates issued to each domain controller and remove the Active Directory Certificate Services role? If so, can I then establish a new standalone root CA? I'd appreciate any tips or experiences people might have regarding this process.
2 Answers
I’m curious about what makes you want a standalone CA instead of keeping it domain-joined. But if you’re set on changing it up, you definitely can uninstall the current role and let go of those old certificates.
It sounds like there’s a bit of confusion. If your domain controllers have certificates, they’re actually providing LDAPS, which your clients should be using if your domain is relatively modern. Instead of scrapping the CA, you could repurpose it for internal services like 802.1X authentication or email encryption—it could be quite handy! But if you decide to go ahead with the removal, yes, you can revoke the certificates and uninstall the CA role, and your domain will revert back to regular LDAP. Just a heads up, some services might rely on LDAPS for user synchronization, so keep that in mind.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures