11 Responses to Manually remove old CA references in Active Directory

  1. eric says:

    THANK YOU!!! Had to rebuild my PKI deployment and was beating my head against the wall trying to figure out where the old certs were coming from.

  2. dinero says:

    Hello ,
    We have only one CA ( Ent. Root CA) issuing all certs.I have setup a new Ent. subordinate CA , and when I requested computer cert from a member server , the request was going to Sub CA instead of Root CA..

    When i disable computer template on the subordinate CA , and submit new request from member server , the request is failing saying template is not published on sub CA …BUT the template is published on Root CA.

    How do we tell domain member servers to request cert from Root CA , when template is not available on Sub CA.

    I was planning to set the registry flag to enable SAN certs on subordinate CA , and disable standard templates and configure computer template to require CA approval.. but with the above behavior that may break the auto enroll process for computer and user certs , as member servers are requesting certs from Sub CA instead of Root CA

    Is the above behavior expected ? Any suggestions ?

    • Tom Aafloen says:


      It is VERY unusual to have both a Root CA and an Issuing CA online and both giving out leaf certificates. Any reason for doing it this way? The most common PKI setup is to have one offline Root CA that ONLY signs SubCA certificate requests from one or more online Issuing CAs. There are of course even more complex PKI setups as well.

      That being said, when a client wants to autoenroll it looks in AD to see which templates they have permission to autoenroll from. Then they look in the “Enrollment Services” container in AD to see which CAs actually publish those templates. If more than one CA publish the same template they chose only one of the CAs, they never enroll a certifikate from a template they already have a valid certifivate from. So the fact that the computer cert was coming from the SubCA was probably random, it could also have come from the RootCA.

      If you manually enroll a certificate via MMC you should be able to choose which of the CA-servers (that are publishing the template in question) you want to enroll from.

      Did you delete the old computer certificate, revoke it on the CA or try to re-enroll from the existing certificate?

      I would NOT recommend modifying the CA server to enable the flag EDITF_ATTRIBUTESUBJECTALTNAME2. This can be abused, see this blog post:

      The CA can still issue certificates with SAN, by using certificate extensions instead of request attributes. See more detailes here:

  3. Tom
    I have had an issue with an 2012 server that has a domain migrated from a previous sbs 2011 server. They never uninstalled the CA role before they decommissioned the sbs and drpromo’d to remove from AD. Now the 2012 server and clients are looking for a long gone DC to renew Certs and causing Errors for CertificateServiceClient-AutoEnrollment Event ID 6 and 13.

    The old DC is long gone years ago, so can these steps be used to safely remove all the references to the CERT that should have been reomoved properly? If so will it affect AD or the clients in anyway? I have a few windows 10 pcs that no say Certificate expired when they start up.


    • Tom Aafloen says:

      Yes, these steps could be used to remove any remains of a no-longer-existing CA server, regardless of if it was installed on a DC, SBS or a dedicated server. Be sure NOT to remove any object related to a any new CA servers though.
      The affect it will have on the clients/servers is that they will no longer find references to that server during auto enrollment process and will therefor no longer try (and fail).
      Expired certs is natural, since you have not renewed or issued them for a long time. But do they say it with some sort of dialog, or is it just in the event log?
      Feel free to share your results here 🙂

  4. Grae says:

    Thanks for this – I replaced an old SBS server with a plain old DC and Exchange setup – but that SBS had been an unused CA, and although I removed that before demoting and removing it, the other DCs were creating warnings constantly trying to re-register their certs.

  5. Great article. Helped me a lot in getting rid of those old certificates in the enterprise ca certificate store.

  6. David Amos says:

    We had an SBS server that was removed (and correctly according to MS intructions), and replaced with 2008 R2 DC and separate Exchange, the only certificate on the new DC is the old SBS certificate, is it ok to remove this and have no AIS PKS on the DC?

    • Tom Aafloen says:

      Hi David.
      It’s hard to be sure without more information. What type of certificate is present on the new DC?
      My advice would be to make a backup of the certificate (including the private key), just in case, and then delete it. IF issues occur, just reimport it again.
      What do you mean by AIS PKS?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s