Microsoft PKI – Decommission CA Server

Abbreviated mostly  from:

Several notes:

These instructions assume that all issued certificates are expired.

If the issued certificates still exist and are active within the expire time or are revoked, you will need to go through a set of steps to revoke the remaining issued certificates and update/transfer the revocation list to the current PKI systems. Generally you can just remove the certificate templates from the old server and let the certificates expire or be re-issued by the newer issuing servers. It all depends on how quickly the old PKI server needs to be removed from inventory.

Steps are different on a single-tier PKI set up, so don't do this unless you are sure!

Get and pair the server name and CA name. This will show all info about all CA servers, so choose the server name wisely. From PowerShell or CMD terminal as admin:


Shutdown certificate services on the server being decommissioned:

certutil -shutdown

Delete CA private key using the name gathered from above (I have had issues with this step and probably is not important if you securely erase the drive immediately after server decommissioning):

certutil -delkey <"ca name">

Uninstall Certificate Services:

"Server Manager", "Manage", "Remove Roles and Features"
Click through wizard and de-select "Active Directory Certificate Services"

Restart the server.

ONLY do the following if issued objects like CRL and AIA no longer matter! DO NOT remove the Certificate Templates if you are replacing this PKI server!

Remove CA Objects from AD:

"Server Manager", "Tools", "Active Directory Sites and Services"

Select appropriate icon in left window pane, "View", "Show Services Node"

"Services", "Public Key Services"

Under the "AIA", "CDP", "Certification Authorities", and "Enrollment Services":

Delete the CA object
NOTE: should already be missing under "Enrollment Services" because it is removed during the removal of certificate services.

There are more advanced cleanup procedures in the link at the top if you feel that these deletion steps did not work properly.

There is also a method to recover the certificate templates if they are deleted.

Enabling the AD Recycle Bin and Recovering Objects

This is an easy process. Recovering deleted AD objects using the old methods was not. By default, even in new domains, the AD Recycle Bin is not enabled.

Before doing this, the object lifecycle should be understood. Once the AD Recycle Bin is enabled, when an object is deleted it is considered to be logically deleted, which is when the object’s attributes are preserved. It remains in this condition until the “Deleted Object Lifetime” period is met. This value is called the msDS-deletedObjectLifetime attribute, which by default is null, and thus is controlled by the “tombstone lifetime” attribute. At the end of this time point, most of the attributes are stripped away and the object is now in the “Recycled Object Lifetime” period. At this point an object can not be recovered using the AD Recycle Bin and the the object is similar to “tombstoned” objects, the lifecycle of which can be controlled by changing the tombstone lifetime attributes. Default for this time period is 180 days, but older domains may be different. Following this time period, the object is permanently and physically deleted.

Enabling the AD Recycle Bin

PowerShell example from the MS website:

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' -Scope ForestOrConfigurationSet -Target ''

Or for the GUI:

Server Manager -> Tools -> Active Directory Administrative Center (ADAC) -> Manage -> Add Navigation Nodes -> <Domain Name>(local)

In the Tasks pane, click “Enable Recycle Bin”

Recovering Deleted Objects

Server Manager -> Tools -> Active Directory Administrative Center (ADAC) -> Manage -> Add Navigation Nodes -> <Domain Name>(local)-> Deleted Objects

Chose the object to restore and click “Restore” in the Tasks pane. For recovering multiple objects, such as recovering an OU, a search of the web might be necessary to script the recovery.

Note about msDS-deletedObjectLifetime and tombstone lifetime attributes

These can be found and changed using ADSI Edit and PowerShell.

It is worth taking a look at these especially if the existing domain began prior to Server 2003 since the default tombstone dates were typically only 60 days in length.

Disable Screen Auto Lock GPO

I do this in my home test networks. It should NOT be done in a production system or even test systems where access to the server may be easy for many people.

Create a new GPO and link it where appropriate. Then edit the following:

Computer Configuration -> Policies -> Administrative Templates -> System -> Power Management -> Video and Display Settings -> Turn Off the Display (Plugged In)

Enable it and set “Seconds” to 0.