I've got two Active Directory Certificate Services (ADCS) servers. The newer one is now handling all the certificate issuance, and I've already revoked all the certificates from the old server. Am I clear to uninstall ADCS from the old server, or is there anything else I need to clean up before doing that?
3 Answers
You should ideally clean up the old server from your Active Directory schema using ADSI Edit. If you don't, its root certificate might still be in the certificate store of every domain-joined machine. But really, unless you want to tidy up, it probably won't affect functionality if you leave it there for a while.
If your old server was an Enterprise CA, remember that it's tied into Active Directory. You can reuse the certificate templates on your new server. I’d suggest keeping the old CA around for reference, especially since they combined a lot of services on the same server, which can get messy. Also, make sure the old CA stops issuing new certificates—it’s important to keep the Certificate Revocation List (CRL) around so that the revocations are recognized properly, especially if you have long-lived certificates.
Yeah, you definitely want to be careful. There's a detailed Microsoft guide you can find online that walks you through it. Just make sure you're thorough. But be warned about step 6; if you aren't confident, skipping it is probably best! You don't want to accidentally delete something essential that your other CA depends on!
Seriously, just skip that step unless you’re fully aware of what you’re doing. It can lead to problems with your other certification authority!
Honestly, if you uninstall it right, you don’t need to mess around with ADSI Edit at all!