Hi Everyone,

Please let me know how to delete the CRL from LDAP and HTTP location

Just to clarify, I am not looking to delete the CDP and AIA configured links.

I want to know how to delte the CRL from LDAP and HTTP location.

Regards

Afsar

Hello,

I inherited a domain with a Server 2008 DC hosting an Enterprise PKI.

The CA was used to issue certificates for Exchange (OWA etc.).

I added 2 Server 2016 DC to that domain, so we have 3 DC now.

Next I'm going to replace our Exchange certificate by a public certificate and, in a second step I want to demote the old DC and remove it.

In the CA, aside from the webserver certificate for Exchange, there are certificates for each DC based on the DomainController template and one certificate for the CA based on the CAExchange template.

Just blocking the DC and CAExchange certificates may cause problems, I guess.

How can I get rid of the CA?

Regards

gemini

Hi there,

I have created a CSR using the IIS request process.  Then I submit my request to the RootCA (Domain RootCA Windows Server 2016). Once this is done I download the cert, import it to a personal certificate store and then export it in .pfx format with the key. Then I import the cert to Servnamename/Certificates in IIS.  Add the the cert in the binding details window under 443 and then amend the http forwarding in IIS under the default website to https://myrdweb.net/rdweb.

Certificate is not activate or something because the website still shows as inactive.  Does this happen to have something to do with the fact I have two remoteapp servers and I am using Host A DNS entries in my Active Directory to load balance for example:

remoteappserver1.contoso.com  10.10.1.1

remoteappserver2.contoso.com  10.10.1.2

Host A =  remoteappserver.contoso.com = 10.10.1.1

Host A =  remoteappserver.contoso.com = 10.10.1.2

Any help would be awesome!

Chris

i'm currently struggling to connect to the CA server from my workstation using MMC. My workstation is on a different network with firewall inbetween.

Looking a the logs on my workstations. Port 135 to the CA server was successful but that is it. No other information.

I have checked online but cant find any information regarding firewall access from workstation to CA servers using MMC.

I was wondering if anyone can help.

Hi,

this is in continuance of Enterprise PKI and Domain Controller Certificate

Meanwhile I've replaced the Exchange certificate by a public one and revoked all issued certificates.

Follwing the instructions in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and Remove CA from Active Directory I found that the output of certutil -key is different and it returns an error at the end stating "LoadKeys returned The key is not present".

In my opinion there shoud be only one key store for our CA, but it seems there are 5 key stores le-DomainController-.

The "ESTOS SelfCert Container" comes from an Estos ProCall Server which is running on the same Server.

Can anyone explain what this means?

Can I run certutil -delkey against all 5 key stores?

C:\Users\Administrator>certutil -keyMicrosoftStrongCryptographicProvider:7efa5cc9-27b4-48ff-8429-cd805405d09e118a899484943e1c80aee351dca96131_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-b0e71049-2c9b-4dc8-901e-1e9954750a823d303ae165fbee46aabb659c0d5729bc_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  iisConfigurationKey
  6de9cb26d2b98c01ec4e9e8b34824aa2_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  iisWasKey
  76944fb33636aeddb9590521c2e8815a_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  MS IIS DCOM Server7a436fe806e483969f48a894af2fe9a1_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE, AT_SIGNATUREle-DomainController-4f2bc3ac-0bfb-4ad4-99ec-e3611a68357982c1c86b4659f92765bfb9b2be512286_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-6bc7d558-e348-4808-b04f-a1225ca78270
  a5b5a783601591c4e4182fed4150a68c_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-38e1e108-8a73-4949-8bf9-2ee9e014e0e3
  b0ba5295f49ac80dabc71a5b90a60ea5_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEWMSvcCertificateKeyContainer
  bedbf0b4da5f8061b6444baedf4c00b1_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEMicrosoftInternetInformationServer
  c2319c42033a5ca7f44e731bfd3fa2b5_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE, AT_SIGNATURE8b87de2b-2318-46f5-b002-e444b2b05c20
  c3cdcb0214c50773c4f7ace229b31f74_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-555efd50-6a87-4346-b215-ace84be1d9b2
  cf074b11b2e7e2b417e83bba9b9f0448_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGENetFrameworkConfigurationKey
  d6d986f09a1ee04e24c949879fdb506c_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  ESTOS SelfCertContainer
  e1318c97b8e71174961bfb5d6be7df0f_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGETSSecKeySet1
  f686aace6942fb7f7ceb231212eef4a4_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGELoadKeys hat DerSchlüssel ist nicht vorhanden.0x8009000d(-2146893811) zurückgegeben.CertUtil:-key-Befehl wurde erfolgreich ausgeführt.

C:\Users\Administrator>

Hello!

My goal: block ALL network communications between the domain controller and a client computer (Client43).

My actions: On DC I create the two blocking rules (inbound - on the picture - and outbound) that blocks any protocol between DC and Client43.

The result: No packets can travel between DC and Client43 except DHCP packets - Client43 still receives IP address from DC.

Q: Why does the option "Any protocol" not apply to dhcp packets?

Thank you in advance,
Michael

I have created an Enterprise RootCA on Windows server 2016.  For all domain devices it works as intended.  We have an intranet website with an SSL cert issued from the Local RootCA.  For all domain joined systems this is fine, but how can I get the certificate to work for clients on the LAN but not in the domain?

We have a PKI-environment consisting of an (offline) Root CA and two Issuing CA's running Windows Server 2008 R2. I want to migrate the PKI-environment to Windows Servers 2016. I backed up the Root CA and restored it without problems on the Windows Server 2016 OS. I also backed up the first issuing CA and restored it without problems on the Windows Server 2016 OS.

I backed up the second issuing CA and when I want to configure the AD CS and try to restore the backup, I get the error:The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used.

I chose the Enterprice CA as setup type of CA. I chose a Subordinate CA as type of CA. Exactly as I did on the first issuing CA.

I tried it via the MMC CA console. I tried it via command prompt using certutil  (certutil.exe -f -resoredb <path>) but than I see CertUtil: No local Certification Authority; use -config option and CertUtil: No more data is available.

I  already made a fresh new backup but that doesn't fix it. I also tried selecting Standalone CA and Subordinate CA (which is wrong but looking at the error I tried) but this does not work either. In need for some despirate help.

Actually the question consists of two parts:

1. It is recommended on multiple source to change the krbtgt account password twice as it has a password history of 2. MS itself provides a script for this purpose, but in the script documentation there is nothing mentioned regarding the double execution of the script. I am interested in the impact of changing the krbtgt password twice. I assume that quickly change the password twice would break replication between DCs? The MS script seem to ensure and check for successful replication of the password, so running it twice consecutively would be ok? Are there other impacts?
2. RODCs have a krbtgt of their own. Following this recommendation https://adsecurity.org/?p=3592 if one wants to cache passwords on RODCs, it is advisable to also change passwords of these accounts regularly. Yet, I found no MS documentation or comment on this and the offered script only targets the standard account (could be for sure easily adapted). Does anyone have experience with this and knows of any drawbacks? 

Environment

1 2003 DC (DC1), 1 2012 R2 DC (DC5) - 2003 Functional Level (I know, upgrading soon), 1 2003 DC that is OFFLINE (DC2)

1 2008 R2 Certificate Authority with SafeNet Authentication Manager that is used for deploying smart cards for 2 factor network login, it's running 2008 R2 Sub Ca - We'll call OldSub.   Server 2003 R2 Offline RootCA - we'll call OldRoot,

1 2012 R2 Cert authority that DOES NOT issue any smart card certs, strictly used right now for SHA256 internal Website Certificates, running 2012 R2 Sub CA - we'll call IssuingCA-NewSub-Sub.  Server 2012 R2 Offline Root CA, we'll call NewRoot.

BOTH Root CA's are pushed out via AD GPO at Domain Level

ALL Windows 7, 8.1 workstations work perfectly with Smart Cards.
All Windows 10 workstations work (so far, just a handful).  Problem exists with Win10 laptops and tablets (this is my issue)  Win10 laptops/tablets are a mixture of 1703, 1709, 1803 (problems exist on all versions).  All workstations/laptops regardless of OS have Safenet Authentication Client 10-10.4 installed (ruled this out as an possibly culprit with vendor).

The main error seen at login screen is
System, Source - Security-Kerberos, Event ID 9

The client has failed to validate the domain controller certificate for dc*.domainname.com. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

(This can be either of the DC's, as both hostnames have appeared.  It looks like it's just whatever DC responds).

I'm not a CA expert, but both Old and New CA's show NO ISSUES when looking at them in Enterprise PKI.

Here is a certutil -tcainfo from dc*.domain.com

C:\Windows\system32>CERTUTIL -tcainfo
================================================================
CA Name: OldSub

Machine Name: OldSub.domain.com

DS Location: CN=OldSub,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuratio
n,DC=domain,DC=com

Cert DN: CN=OldSub, DC=domain, DC=com

CA Registry Validity Period: 2 Years -- 7/18/2020 12:32 PM
 NotAfter: 7/30/2029 2:31 PM

Connecting to OldSub.domain.com\OldSub ...
Server "OldSub" ICertRequest2 interface is alive (16ms)

  Enterprise Subordinate CA

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1448 Days, 22 Hours, 24 Minutes, 21 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1448 Days, 22 Hours, 24 Minutes, 21 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=OldRoot
  NotBefore: 7/30/2014 2:21 PM
  NotAfter: 7/30/2029 2:31 PM
  Subject: CN=OldSub, DC=domain, DC=com
  Serial: 611cb00e00020000000a
  Template: SubCA
  ce123b2f6476786e7460890bbcd984c616e821d7
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 07:
    Issuer: CN=OldRoot
    ThisUpdate: 7/30/2014 2:08 PM
    NextUpdate: 7/31/2044 2:28 AM
    21d1ce4fb72cca8d5a73b268b2b25eeba1368afd

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=OldRoot
  NotBefore: 7/30/2014 2:08 PM
  NotAfter: 7/30/2054 2:18 PM
  Subject: CN=OldRoot
  Serial: 3e9b88d7e6c95b954adf71f6d8fea024
  a7a6969e77707e8ab14013b614fa6b910d5862f9
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  34d51245d2b14f8386427743d97bcda142c05386
Full chain:
  12426490d0245f759ed78da5c06582ec675c0c19
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All

Supported Certificate Templates:
Cert Type[0]: CAExchange (CA Exchange)
Cert Type[1]: EnrollmentAgent (Enrollment Agent)
Cert Type[2]: MachineEnrollmentAgent (Enrollment Agent (Computer))
Cert Type[3]: AdminSmartcardUser (Admin Smartcard User)
Cert Type[4]: SelfSmartcardUser (Self Smartcard User)
Cert Type[5]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[6]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[7]: EFSRecovery (EFS Recovery Agent)
Cert Type[8]: EFS (Basic EFS)
Cert Type[9]: DomainController (Domain Controller)
Cert Type[10]: WebServer (Web Server)
Cert Type[11]: Machine (Computer)
Cert Type[12]: User (User)
Cert Type[13]: SubCA (Subordinate Certification Authority)
Cert Type[14]: Administrator (Administrator)
Validated Cert Types: 15

================================================================
CA Name: IssuingCA-NewSub-Sub

Machine Name: NewSub-Sub.domain.com

DS Location: CN=IssuingCA-NewSub-Sub,CN=Enrollment Services,CN=Public Key Services,CN=Services,
CN=Configuration,DC=domain,DC=com

Cert DN: CN=IssuingCA-NewSub-Sub, DC=domain, DC=com

CA Registry Validity Period: 5 Years -- 7/18/2023 12:32 PM
 NotAfter: 6/7/2022 2:49 PM
WARNING: CA certificate expires before registry validity period.

Connecting to NewSub-Sub.domain.com\IssuingCA-NewSub-Sub ...
Server "IssuingCA-NewSub-Sub" ICertRequest2 interface is alive (0ms)

  Enterprise Subordinate CA

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 21 Hours, 45 Minutes, 30 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 21 Hours, 45 Minutes, 30 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=NewRoot
  NotBefore: 6/8/2017 11:12 AM
  NotAfter: 6/7/2022 2:49 PM
  Subject: CN=IssuingCA-NewSub-Sub, DC=domain, DC=com
  Serial: 1700000002dba4062a6608fcfd000000000002
  Template: SubCA
  72d18432f662f59129d9388083b4c61a01d92a82
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 06:
    Issuer: CN=NewRoot
    ThisUpdate: 7/16/2018 2:47 PM
    NextUpdate: 7/2/2019 3:07 AM
    1b43a605c055424e90ec80c85140335b311dee60
  Issuance[0] = 1.2.3.4.1455.67.89.5

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=NewRoot
  NotBefore: 6/7/2017 2:39 PM
  NotAfter: 6/7/2022 2:49 PM
  Subject: CN=NewRoot
  Serial: 6f20ddd1ddfddb9d4592a7519c5fd5d8
  79fb8ec0add6ffd6c24323c3bc801ea8d28c1c47
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Issuance[0] = 1.2.3.4.1455.67.89.5

Exclude leaf cert:
  9d28c02ea704acc3a9df9a701f9564610595c5d5
Full chain:
  dcd34c8fa07159a77d0be7e00d1b139bfbecd61c
  Issuer: CN=NewRoot
  NotBefore: 6/8/2017 11:12 AM
  NotAfter: 6/7/2022 2:49 PM
  Subject: CN=IssuingCA-NewSub-Sub, DC=domain, DC=com
  Serial: 1700000002dba4062a6608fcfd000000000002
  Template: SubCA
  72d18432f662f59129d9388083b4c61a01d92a82
A certification chain processed correctly, but one of the CA certificates is not trusted by the poli
cy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
------------------------------------

Supported Certificate Templates:
Cert Type[0]: CAExchange (CA Exchange)
Cert Type[1]: ADFSSSLCertificate (ADFS SSL Certificate)
Cert Type[2]: CorpNameCiscoWeb (CorpName CiscoWeb)
Cert Type[3]: WebServer (Web Server)
Cert Type[4]: CorpNameWeb (CorpNameWeb)
Cert Type[5]: CorpNameWebServerTemplate (CorpName Web Server Template)
Cert Type[6]: TrainingTemplate (Training Template)
Cert Type[7]: Client-ServerAuthentication (Client-Server Authentication)
Validated Cert Types: 8

================================================================
OldSub.domain.com\OldSub:
  Enterprise Subordinate CA
  Online

NewSub-Sub.domain.com\IssuingCA-NewSub-Sub:
  Enterprise Subordinate CA
  A certification chain processed correctly, but one of the CA certificates is not trusted by the po
licy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Online

CertUtil: -TCAInfo command completed successfully.

Here's certutil - dcinfo

C:\Windows\system32>certutil -dcinfo
0: DC1
1: DC2
2: DC5

*** Testing DC[0]: DC1
** Enterprise Root Certificates for DC DC1
Certificate 0:
Serial Number: 3e9b88d7e6c95b954adf71f6d8fea024
Issuer: CN=OldRoot
 NotBefore: 7/30/2014 2:08 PM
 NotAfter: 7/30/2054 2:18 PM
Subject: CN=OldRoot
CA Version: V2.2
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): f9 62 58 0d 91 6b fa 14 b6 13 40 b1 8a 7e 70 77 9e 96 a6 a7

** KDC Certificates for DC DC1
Certificate 0:
Serial Number: 1646659600020000071d
Issuer: CN=OldSub, DC=domain, DC=com
 NotBefore: 7/16/2018 9:34 PM
 NotAfter: 7/16/2019 9:34 PM
Subject: CN=DC1.domain.com
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 21 07 5e 16 ff ca cb fc e5 6f 7f ae 14 2f ac a1 14 89 1e d0

1 KDC certificates for DC1

*** Testing DC[1]: DC2
DC UNAVAILABLE: The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)

*** Testing DC[2]: DC5
** Enterprise Root Certificates for DC DC5
Certificate 0:
Serial Number: 3e9b88d7e6c95b954adf71f6d8fea024
Issuer: CN=OldRoot
 NotBefore: 7/30/2014 2:08 PM
 NotAfter: 7/30/2054 2:18 PM
Subject: CN=OldRoot
CA Version: V2.2
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): f9 62 58 0d 91 6b fa 14 b6 13 40 b1 8a 7e 70 77 9e 96 a6 a7

** KDC Certificates for DC DC5
Certificate 0:
Serial Number: 1649b72e00020000071e
Issuer: CN=OldSub, DC=domain, DC=com
 NotBefore: 7/16/2018 9:37 PM
 NotAfter: 7/16/2019 9:37 PM
Subject: CN=DC5.domain.com
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 32 f6 9f ec 15 ba 6c 3c b8 79 36 7f 99 26 7c 80 75 ff 1d a5

1 KDC certificates for DC5

CertUtil: -DCInfo command FAILED: 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)
CertUtil: The network path was not found.

Hello Team,

Can you please suggest me that if it is possible to convert RSA private Key to SSH2 Private key. If so, please suggest how to do it.

Thanks in Advance

Sreeram.R

Shriram

Hi Team,

We have CA which is running on Windows 2012 R2 which is issuing the certificate for DCs through auto enrollment mechanism. Now we got a new DC which is running on Windows 2016 and the certificate is not getting enrolled for the new DC. We are getting the below errors.

Automatic certificate enrollment for local system failed (0x80094004) The requested property value is empty.

Certificate enrollment for Local system failed to enroll for a **** certificate with request ID **** from CA Server\CA (The requested property value is empty. 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)).

The new DC is in the same OU and group where all other DCs are placed. Not sure why this single DC is failing to get enrolled for a certificate. Please advise on this.

Hi Support,

Will below mentioned MS Patch applicable for the windows server 2012 R2 standard edition,

Apply Security Only update KB4022718 or Cumulative update KB4022724.
Apply Security Only update KB4022718 or Cumulative update KB4022724.
Apply Security Only update KB4022718 or Cumulative update KB4022724.

Regards

Suresh

Hi,

Recently got a SSL certificate from a Windows 2012 R2 Enterprise CA. I don't see the Private key in the certificate. I generated the CSR on the same server where I am importing the certificate. 

So to bring back the Private key, I tried running certutil -repairstore my 'serial number' in a elevated command prompt and it prompts me to insert a smart card. There is no smart card as such. 

If I cancel that, the command fails with Access denied error. 

did a lot of online search but I don't see a valid solution. 

Please help!

I have a client who is running two separate and isolated Active Directory forests:

• Company 1 (single ad domain in single forest)
  
• Win2012 AD (company1.private)
• Exchange 2013 server
• subnet: 192.168.x.x/16 (vlan1)

• Company 2 (single ad domain in single forest)
• Win2008 AD (company2.local)
• Win2012 RDS server
• subnet: 10.0.0.x/24 (vlan2)

Admin, marketing, sales, management, etc staff user and devices are located in Company1. Company2 is used by trainers and students. Historically, the two companies were setup so that there was complete isolation between the two. However, over time, the two have begun sharing resources. For example, both have moved away from physical servers and now operate on virtual servers running from the same hosts/sans. Likewise, both companies share the same physical switches and router/firewall. 

Management have now asked if we should migrate company2.local servers/workstations over to company1.private domain. The reason for this is so company2 users can have Exchange mailboxes, easier access to company1 file data and sharing data in general. For IT management reasons this sounds great, however, from a security point of view, surely if better to keep the two isolated. There have been several occasions, over the years, where pupils have caused problems, such as connecting an infected memory stick.

What would the best practices be in this situation? Anyone been in a similar situation or have any advise? 

Is there a way you can update your CRL distribuion points for you RootCA?  

When I go the properties of my 2012R2 CA I can see where I add/change fields to what I want, but after I make the change the CA certificate will not have the updated CRL locations.  Is it possible to update the certificate?

I'm looking to import my RootCA into Exchange for S/MIME certificate verification but the RootCA cert doesn't have the updated CRL locations.

----E----