Will removal of Enterprice CA break AD replication between sites?

Hello.
I have a AD environment that have a CA on a failing Domain Controller. This server is scheduled for decommission, and are running a CA for the Domain. This server has issued certificates to the domain controllers from the Domain Controllers template. 
I have no other use for this CA other than for Domain Replication. Based on this I want to remove the CA role completely from the domain.
If I follow this procedure:
http://support.microsoft.com/kb/889250
Will the domain replication break or still be in operation?
Regards
Tommy Rasmussen

If you require certificates for AD e-mail replication I would not recommend this procedure as all certificates would be revoked following this checklist (step 1). If you decommission a PKI but want its certificates to remain valid you would not revoke the
certificates but only create the long-lived CRL (steps 2 and 3). And you would need to make sure that new DCs get new certificates.
Are you really using AD *e-mail* replication? I am just asking because I often DC certificates are deployed automatically but not actually really used. Certificates are not required for default AD replication.
Assuming that certificates are required now (and will be required in the future) I would recommend instead:
Option 1 - new PKI before retiring the old one.
Configure a replacement PKI, make sure that the DC replication template is published at this CA, make all DCs get renewed certificates from the new CA, then decommission the old one.
On principle, the existing CA could also be migrated to a new server with another name, but handling the CDP and AIA URLs gets a bit messy if the default names have been used when setting up this CA (as these point to the existing server or an LDAP object
that has the same name as the existing server). So if the CA is only used for issuing DC certificates, I would rather create a new one.
Option 2 - new PKI after retiring the old one.
This would be an option if you don't plan to add new DCs soon:
Make sure all DCs have valid certificates issued by the existing PKI. Issue the long-lived CRL but don't revoke the certificates. Uninstall the CA service - the objects required to validate certificates will remain in AD. Details may depend on customizations
of the CDP and AIA URLs. If you used the default settings you might have also an HTTP URL pointing to the CA server itself - so the DNS record would need to point to a replacement server holding the CRL and CRT files.
This would work as long as you don't need new certificates - thus as long as the existing ones are still valid and you don't join new DCs to the domain. So you should perhaps setup another CA in the next months.
Elke

Similar Messages

  • My MacBook Air 13' (2013) will occasionally start the fan at full blast, not connect to any wifi or detect any wifi, and will remove the battery icon from my menu bad as well as tell me there is no battery connected. How do I fix this?

    My MacBook Air 13' (2013) will occasionally start the fan at full blast, not connect to any wifi or detect any wifi, and will remove the battery icon from my menu bad as well as tell me there is no battery connected. How do I fix this? I have restarted my computer multiple times, **** it down, and ran a diagnostic test to tell me nothing is wrong and my computer is not running any applications. There is no reason for the fan to be on full blast! when I try to set the option to show my battery icon in the menu bar, it will automatically uncheck. How do I fix all of this?

    Have you tried SMC and PRAM resets?
    http://support.apple.com/kb/HT3964
    http://support.apple.com/kb/ht1379
    Ciao.

  • The iCloud was never verified therefore never backing up anything on my iphone 4s because it was the wrong email and now I'm trying to make a new one but it says if I delete the account it will remove it's data from my phone. Will I lose everything?

    The iCloud was never verified therefore never backing up anything on my iphone 4s because it was the wrong email and now I'm trying to make a new one but it says if I delete the account it will remove it's data from my phone. So if I put delete account will I lose everything on my Iphone?

    This was EXACTLY what I needed about the purchases I made from my device. However, is there a way to re-download other ones you've made from a computer? Because I realized some of them were not just purchased from my device.
    This is a picture of what it looks like now:
    http://tinypic.com/r/107quxu/7
    As you can see, the stuff circled in red doesn't give me an option to download from Cloud Beta because it already says "downloaded".
    any way to get around that?

  • I'm having installing itunes on my computer. Will removing itunes remove my music files?

    I'm having installing itunes on my computer. Will removing itunes remove my music files?

    No, it won't remove your other files.
    Solving MSVCR80 issue and Windows iTunes install issues.

  • Is there a script (or plugin) that will take a photo and break it up into parts?

    Is there a script or plug-in out there that will take a picture and break it up into various parts (squares for example.)  The idea would be that you could automate and rapidly create a photo collage of a single image.  (See examples of what I mean in attached pics.)
    Thanks!
    This image has been resized to fit in the page. Click to enlarge.
    You get the idea.

    OK, I'm going to edit this post now that I'm at a computer with an actual step by step.
    Create a new comp the size of you our final delivered project.
    Add a photo to the timeline
    Note the size of the photo and the scale to position the photo at it's final resting place
    Calculate twice the height and width of the photo and create a new solid that is this size
    Place the solid above the photo
    Create a mask in the solid at the exact center that is the size shape you want for your photo frame
    Either invert the mask or set the mask property to Subtract to reveal a small portion of the photo
    Set the solid as a alpha inverted track matte for the photo (you should now see only a portion of the photo
    Add a rectangular shape layer with only a stroke to act as the photo frame over the mask. You may have to use two shapes or create a mask on a shape if you want to simulate polaroids
    Make the shape layer the parent of the solid you are using as a track matte so the matte will stay lined up with the frame
    Here comes the fun, select all layers and duplicate them using Ctrl/Cmnd + D
    Immediately hold down Shift + Ctrl/Cmnd + } to move all duplicates to the top
    Select the top shape layer and move the shape layer frame into a new position
    Pre-compose the top 3 layers
    Press the y key to select the Pan Benind or Anchor Point tool and move the pre-comp's anchor point to the center of the top frame
    Repeat step 11 through 15 until you have arranged your montage (it might be a good idea to have a template set up as a guide layer so you know where to put the frames
    Select all pre-comps and press Alt/Option + P to set a position keyframe for each pre-comp
    With all of the keyframe selected move them down the timeline about 3 seconds
    Now, with the CTI at the first frame drag each pre-comp into a starting position for that frame
    Preview and adjust the timing, then turn on motion blur
    Your images will now assemble themselves into the final montage.
    There is no script that I know of that will do all of this automatically, but it would not be too hard to write a script that would do the pre-composing if you have a ton of these to do. I'm guessing that with a little practice you could have a new picture frame created and moved into position in less than a minute. It takes me about 30 seconds. That means a 20 frame sequence should take you about a half hour. It might not be worth writing a script unless you have a ton of these to do. Select the bottom three layers and duplicate (Ctrl/Cmnt + D), group them at the top (Shift + Ctrl/Cmnd + } ), move the top frame layer into position, then Shift + Ctrl/Cmnd + C to pre-compose, then move the anchor point of the pre-comp, then do it again.... When you're done set a few keyframes.
    As I said, you could write a script, but you'd need a different script to move each frame into position and the script would only work for one layout. If you made a template to put on the bottom so you knew where do place the frames and which order you wanted them you could do this by hand very quickly. The sample project that I'm including which was just quickly thrown together took me less than 10 minutes. Replace my photo with one of yours and you'll get the idea.
    Dropbox - photoMontage1_CS6.aep (Note: Dropbox will probably add a .txt extension to the .aep file. Just delete it and you should be able to open the project.

  • Opening the form will remove usage rights?

    Hi everyone,
      I reader extended a form in my trial version. After that, when I try to open the form in livecycle designer, I see a message box saying that
    " Some usage rights have been applied to the form you want to open. Opening the form will remove usage rights. Do you want to continue? "
    Why is this message appearing? why is it removing the usage rights when I open the form?
    Thanks in advance,
    kc

    I think that there is some confusion on reader extensions.  A person/process applies reader extensions rights to a designed form.  If you read an existing form into designer and make a change, that constitutes a new form.  The reader extensions process had been done on the input.  You have to reader-extend the form with the changed design after you save it from designer.
    I would expect that you would NOT get a message like this if you opened the form in Reader.
    Think of reader extensions like it was a signature.  If you change the underlying document, you invalidate the signature.  The message box is alerting you to the fact that the redesign process will remove the reader extension rights and you'll have to do the reader extension process again.

  • Install CS5.5 upgarde will remove CS4?

    Hi,
    I am about to order a upgrade verison of CS5.5, anyone know when i install the CS5.5 upgarde, it will remove my CS4 automatically?
    Thanks.

    What is a TLP license?
    >free upgrade to CS6 soon
    That is what the page says
    This says Creative Suite free CS6 download with CS5.5 until May 6 2012
    http://store.adobe.com/store/en_us/popup/offer/cs55_cs6.html
    http://store.adobe.com/store/en_us/popup/offer/cs55_cs6_faqchannel.html

  • Which action "Save as" will remove the keywords created in Bridge?

    Which actions will remove the keywords created in Bridge?
    I have saved it in PS for web and keywords were deleted.
    Thank you.

    Remember that if you switch to File - Save As to save your JPEGs with metadata intact, you will also be saving the file with your working color space by default (pay attention to the Color section at the bottom of the File - Save As dialog).
    If it is other than sRGB you'll have problems with some browsers displaying your images inconsistently.  In that case you may want to consider setting your default color space to sRGB.
    -Noel

  • Changing apple id will remove icloud content?

    hello , so my question is that im using an apple id currently and i want to change the apple id to another one and im worried that if i change it it will remove the stuff that i have in my device.
    simply : i want to delete the old icloud (my device) and change it to the new one

    http://support.apple.com/kb/HE40
    No, nothing will change.

  • How to Break the cluster between Two servers

    Hi Experts,
    Since Iu2019m new to BOBJ XI R2.I would like to know how to break the cluster between two servers.
    Description :
    So far we took the copy of QAS Server1 to the new QAS server2 (Through Mirroring Tool ). Now those two servers are cluster together, I can see QAS server1 CMS Name, Cluster Name, cluster member name in QAS Server2 (CMC-> Setting -> Cluster).
    Besides in QAS Server1 CMS Name and Cluster name are pointing to the QAS Server1, except Cluster Member (This is still have two members Server1 and Server2).(CMC-> Setting -> Cluster).
    In QAS Server1 and QAS Server2 (CMS-> Servers), I can able see both server name under Machine Name tab.
    I would like to make those two servers as independent servers. There are two different data source for those two servers. I want to remove the cluster in both servers.
    Right now QAS Server1 is running and QAS Server2 is stopped.
    If i create/modify a group under new Mapped NT Member Groups in QAS server2 ,it is getting reflecting in QAS server 1.
    Could you please tell me the steps to resolve this problem.
    BO Version: BO XI R2
    Regards,
    Sridharan

    Hi,
    Maybe the external CMS is still 'attached' to your SIA node. Please go to the CCM (Central Configuration Manager) and stop the SIA (Server Intelligent Agent). On one of the tabs you can see if there is an external CMS part of your environment. Delete it and restart the SIA. Retry if you can delete the services now from within your CMS. It may well be that you have to stop both environments and delete each others CMS via the CCM to get it working. If you have not changed any permissions for your Administrator account the security model will not be the one causing this.
    Hope this helps...
    Martijn van Foeken
    Focuzz BI Services
    http://www.focuzz.nl
    http://nl.linkedin.com/in/martijnvanfoeken

  • Configure replication between directory server 5.1 and 5.2

    we have two directory servers running on different machine 5.1 and new 5.2. All database have been successfully backup and restore from 5.1 to new 5.2. In this scenario, we would like to setup 5.1 and new 5.2 D.S as multi-master replication.
    As described in the sun Documentation, we have copy few ldif file from new 5.2 to 5.1 so that both schema are up to date.
    The new instance of 5.2 is running fine. However, on the other hand, 5.1 has a problem to start the server as show in the following below.
    # ./start-slapd
    [31/May/2005:14:07:43 +0800] dse - The entry cn=schema in file /usr/iplanet/servers/slapd-ifpdev02/config/schema/50ns-admin.ldif is invalid, error code 21 (Invalid syntax) - object class nsAdminServer: Unknown required attribute type "nsServerID"
    [31/May/2005:14:07:43 +0800] dse - Please edit the file to correct the reported problems and then restart the server.
    Any help from you guys are greatly appreciated.

    I recommened that you read the Release Notes of DS5.2, there are some notes on Replication between 5.1 and 5.2.
    ===
    In Directory Server 5.2, the schema file 11rfc2307.ldif has been altered to conform to rfc2307. If replication is enabled between 5.2 servers and 5.1 servers, the rfc2307 schema MUST be corrected on the 5.1 servers, or replication will not work correctly.
    Workaround
    To ensure correct replication between Directory Server 5.2 and Directory Server 5.1, perform the following tasks:
    * For zip installations, remove the 10rfc2307.ldif file from the 5.1 schema directory and copy the 5.2 11rfc2307.ldif file to the 5.1 schema directory. (5.1 Directory Server Solaris packages already include this change.)
    * Copy the following files from the 5.2 schema directory into the 5.1 schema directory, overwriting the 5.1 copies of these files:
    11rfc2307.ldif, 50ns-msg.ldif, 30ns-common.ldif, 50ns-directory.ldif, 50ns-mail.ldif, 50ns-mlm.ldif, 50ns-admin.ldif, 50ns-certificate.ldif, 50ns-netshare.ldif, 50ns-legacy.ldif, and 20subscriber.ldif.
    * Restart the Directory Server 5.1 server.
    * In the Directory Server 5.2 server, set the nsslapd-schema-repl-useronly attribute under cn=config to on.
    * Configure replication on both servers.
    * Initialize the replicas.
    ===
    Also search for "migrate" or "repl" or "5.1" in Release Notes and read the relevant information.
    http://docs.sun.com/source/817-7611/index.html
    Another guide is "Installation and Migration Guide"
    http://docs.sun.com/app/docs/doc/817-7608
    HTH.
    Gary

  • Matrix exporting to excel with empty columns, with page break option of "Between each instance of a group" selected.

    I am working with Report Builder 3.0 I am using a matrix to produce grouped data on separate worksheets in excel.
    The select is:
    SELECT ID, Measurement, Value, [Date] FROM Measurements_Report. (please ignore the underscores they are just for formatting) 
    The contents of the Measurements_Report table:
    ID__Measurement__Value__[Date]
    1___Hot_________33_____10/1/2014
    2___Hot_________44_____10/2/2014
    3___Cold_________55_____10/2/2014
    The matrix contains a single row group based on the field "measurement". The Measurement group has the page break option of "Between each instance of a group" selected. 
    There is a column group based on the field "Date". 
    When this is matrix is exported to excel on the first worksheet (Hot) there are three columns as shown below:
    ID__10/1/2014____10/2/2014___10/2/1014
    1___33
    2_______________44
    Notice the last column doesn't have a value.
    On the second worksheet (Cold) there are also three columns as shown below:
    ID__10/1/2014___10/2/2014___10/2/1014
    3__________________________55
    This time notice there is only one row and only a value in the last column.
    I only want the columns with data for that worksheet to show up. How can I remove these empty/duplicate columns? Hopefully there is a simple fix. Thanks ahead of time.

    With the following contents of the Measurements_Report table:
    ID__Measurement__Value__[Date]
    1___Hot_________33______10/1/2014
    2___Hot_________43______10/1/2014
    2___Hot_________44______10/2/2014
    3___Cold________55______10/2/2014
    Returns on the first tab (Hot):
    ID__10/1/2014____10/1/2014____10/2/2014
    1___33
    2_________________43
    2______________________________44
    In the excel worksheet it contains a separate column for each date with a value. Thanks again!
    Why is the same date repeating on multiple columns? Do you've the time part also returned from database?
    Please Mark This As Answer if it solved your issue
    Please Mark This As Helpful if it helps to solve your issue
    Visakh
    My MSDN Page
    My Personal Blog
    My Facebook Page

  • Data Replication Between Sqlserver and Oracle11g using materialized view.

    I have Sqlserver 2005 as my source and oracle11g as my target.I need to populate the target daily with change data from source.
    for that we have created a dblink between sqlserver and oracle and replicated that table as a Materialized view in Oracle.
    problem we are getting here is Fast refresh option is not available.each day it will pick full data from the source.
    is there any way to use Fast refresh in this scenario??
    Thanks in advance.
    Regards,
    Balaram.

    Pl do not post duplicates - Data Replication Between Sqlserver and Oracle11g using materialized view.

  • Replication between Oracle 7 and Oracle 10g. Is it possible?

    Hello,
    I have two DBs which exist on two different versions of Oracle (7.3.3 and 10g). Those DBs have different structures of tables, data from which can be casted from one structure to other. Can I organise bi-directional replication between those DBs. To make the point clear, can I replicate data from Oracle 7.3.3 to 10g and vice versa.
    Duration of synchronization should be less than 1 minute.
    I would be very pleased if somebody gives my a reference on online oracle documentation because I can't find answer in it to my questions.
    If the possability of application of replication is questionable, can you give an advice which technology I have to apply in my situation. For instance, perhaps, it is convenient to use triggers.
    Thank you.

    Hi,
    ObjectMMRS (http://www.object.com.br/wiki) can make what you need, replicate data between different Oracle database versions and between Oracle and other database brands too.
    Documentation still in Portuguese only (Translation in progress) but I can help you install and try, maybe one or two days of work and you will be able to replicate.
    Contact me at [email protected] if you want to try the ObjectMMRS (low cost replication software suite), no technical support fees for trial, and 30 days license expiration.
    HTH,
    Wagner Ramos

  • Multi master replication between 5.2 and 6.3.1

    I have a setup in which I have a master running version 5.2 and about 15 consumers ( slaves) all of which have been upgraded to 6.3.1 . I now want to create a multi master topology by promoting one of these consumers to be a master and still keep the 5.2 in use as we have a bunch of other applications that depend on the 5.2 instance. Our master has two suffixes. The master server is also the CA cert authority for all the consumers . After reading the docs I narrowed down the procedure to be
    1. Promote one of the 6.3.1 consumers to hub and then to master using the dsconf promote-repl commands. The problem here is that I am not sure how I can create a single consumer that can slave both the suffixes. We currently have them being slaved to different consumers.
    Also do I need to stop the existing replication between the 5.2 master and the would be 6.3.1 master to promote to hub and master.
    2. Set the replication manager manually or using dsconf set-server-prop on the new 6.3.1 master .
    3. Create a new replication agreement from 5.2 to 6.3.1 master without initializing. (using java console)
    4. Create new replication agreement from 6.3.1 to 5.2 (using command line)
    5. Create new repl agreements between the new 6.3.1 master and all the other consumers. For this do I need to first disable all the agreements between 5.2 and 6.3 or can I create new agreements without disabling the old ones?
    6. Initialize 6.3.1 from the 5.2 master.
    My biggest concern at this point is surrounding the ssl certs and the existing trusts the consumers have with the 5.2 master. Currently my 5.2 server acts as the CA authority for our certificate management with the ldap slaves. How can I migrate this functionality to the new server and also will this affect how the slaves communicate to the new master server ?
    Thanks in advance.

    Thanks Marco and Chris for the replies.
    I was able to get around the message by first manually initialzing the new slave using an ldif of the ou from the master , using dscc to change the default replication manager account to connect and finally editing the dse.ldif to enter the correct crypt hash for the new repl manager password. After these steps I was able to successfully set up replication to the second ou and also promote it to hub and master ( I had to repeat the steps after promotion of the slave to master as somehow it reset replication manager settings when I did that).
    So right now, I have a 5.2 master with two ou's replicating to about 15 consumers.
    I promoted one of these to be a second master (from consumer to hub to master). Replication is setup from 5.2 to 6.3 master but not the other way round.
    I am a little bit nervous setting up replication the other way round as this is our production environment and do want to end up blowing up my production instance. The steps I plan on taking are , from the new master server
    1. dsconf create-repl-agmt -p 389 dc=xxxxx,dc=com <5.2-master>:389
    2. dsconf set-repl-agmt-prop -p 389 dc=xxxxx,dc=com <5.2-master>:389 auth-pwd-file:<passwd_file.txt>
    I am assuming I can do all of this while the instances are up. Also in the above, does create-repl-agmt just create the agreement or does it also initalize the consumer with the data ? I want to ensure I do not initialize my 5.2 master with my 6.3 data.
    Thanks again

Maybe you are looking for