certificate authority required on a windows domain?

[Soldier101]

is a certificate authority required for a windows domain? I have a domain that spans three locations but all servers are located at a central spot. I have an old exchange box that does nothing but store public folders and it is also a certificate authority. I want to demote that box to a regular box that way I can move the directory to a 2008 level (trying to remove all functions from the old boxes to the new boxes so that I can find what the slow down on my network is)

 

[Wrench00]

Depends on what your doing. On the most part No.

 

[timberdoodle]

You should make sure it is not giving out certificates. If you remove a CA while certificates are still out there you could run into issues where people loose access to resources. I'm not positive what would happen, just be cautious.

 

[nessus]

As long as its not the root enterprise CA, and IPSec isn't confiured to only allow traffic secured with certificates, the problems should be relatively minor.

If it is being used for to secure all network traffic via IPSec and only IPSec secured traffic is allowed; the whole network will lock down. (It should be obvious if this is configured by looking at AD group policies)

If certificates are being used by internal apps/web sites for https, ldaps, or you are using IKEv2 VPN using interally generated certificates, those will break.

 

[Jay_2]

also if you are using self signed apps and using your domain to hand this out and trust them then things may also go a bit wrong.