Microsoft KB Archive/231182

= Certificate Authority Servers Cannot Be Renamed or Removed from Network =

Article ID: 231182

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q231182



SYMPTOMS
A Windows 2000 server functioning as the Certificate Authority (CA) server cannot be renamed, or the certificates that it has granted become invalid. This includes both Enterprise CAs and stand-alone CAs.

Enterprise CA servers are domain controllers or member servers that use DNS and Active Directory to store their certificate information for replication to other domain controllers. The Enterprise Root CA and Enterprise Subordinate CAs under the Root CA must not change their names, or the certificates throughout the enterprise will not be able to be validated back to the root.



CAUSE
The name of the CA server is bound to the certificates that the CA has issued. Therefore, the server name cannot be changed without revoking all certificates.



RESOLUTION
Before implementing a CA server, plan factors such as organization naming schemes and future requirements for subordinate CAs so the CA hierarchy can be a part of the naming scheme.

Back up the certificates by using the Certificate Services Backup feature. They can be restored at a later time.

In case of disaster recovery, restore the backup tape to a server with identical hardware. When the Certificate service starts with the proper registry entries in place from the tape backup, the certificates will still be valid on the network.



STATUS
This behavior is by design.



MORE INFORMATION
Local CA servers hold their information locally, use local policies, and store certificate information in a local database. Therefore, the CA is more than just having a server of the same name on the network for Certificate Authority. Performing regular tape backups of the server is a reliable way of being able to restore the CA without losing all certificates.

Additional query words: Digital Signatures Authority

Keywords: kbenv kbprb KB231182

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.