Hi,
As part of my AD 2003 to 2008R2 upgrade, I am poking about in the domain to see if there are any certificate authorities configured, etc.
I have found that there appears to have been a windows 2000 domain controller in the 2002-2005 timeframe that was configured as an enterprise root certificate authority. As far as I can tell, there are no applications or services that depend on that (the DC in question was removed around 2005, many years before my time at this employer!), subsequently several 2003 DCs were created.
I have, however, discovered that each and every domain joined computer seems to have a certificate listed under intermediate certification authorities (valid 10/29/2003 to 10/29/2005) that lists the DNS domain name in the issued to and issued by fields. The CRL distribution point lists the old domain controller name. I am trying to find out WHERE this certificate is coming from and not having much success so far. The last computer added to the domain (a new 2008R2 domain controller) also gets this certicate added under Intemediate Certification Authorities, so whatever mechanism used to deploy this certificate throughout the domain still is active.
My best guess was maybe a manual deployment via a GPO, and the default domain policy would make most sense, but I have checked there under Computer Configuration | Policies | Security Settings | Public Key Policies | (checked all nodes here, but especially Intermediate Certification Authorities node).
I will manually look through each policy I guess (there are several dozen), but does anyone have any insight? Maybe I am approaching this wrongly?
I tried to model GP Modeling for a particular server object, only a couple of policies are applied as far as I can tell, but I haven't found any certs being deployed by those policies. Is it possible this is a User Configuration Policy somewhere I wonder? I thought you couldn't deploy to Intermediate Cert Authorities node with a user policy?