July 20, 2008 02:12am pdt

1. tigermatt 179,394
2. KCTS 164,415
3. MrHusy 101,075
4. LeeTutor 89,457
5. and235100 81,005
6. arnold 74,076
7. martin_b... 65,753
8. oBdA 59,700
9. leew 52,549
10. nobus 49,806
11. slam69 49,804
12. briancassin 49,687
13. JSoup 46,882
14. rindi 44,689
15. johnb6767 42,006

1. MrHusy 631,878
2. KCTS 552,228
3. farhankazi 473,187
4. tigermatt 254,596
5. johnb6767 225,863
6. LeeTutor 184,731
7. sirbounty 174,632
8. oBdA 154,674
9. and235100 151,762
10. RobSampson 146,432
11. leew 135,124
12. rindi 129,663
13. Sheharya... 109,361
14. TechSoEasy 107,175
15. nobus 96,378

01.09.2008 at 08:34AM PST, ID: 23069908

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.4

Howto renew an expired domain controller certificate?

Zones: Microsoft Operating Systems, Windows 2003 Server, Microsoft Server

Tags: Microsoft, Windows 2003 Server, 2003

How to renew an expired cert on a windows 2003 Domain controller. Howto check for autoenrollment and force autoenrollment.

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: ebetancourth

Solution Provided By: Pber

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

01.09.2008 at 08:38AM PST, ID: 20619622

Rank: Master

Firebar:

Hi,

The only way I know to do this would be to remove the specific machine as a domain controller from Active Directory

01.09.2008 at 08:51AM PST, ID: 20619770

ebetancourth:

Let me clarify one important point. AD / Domain Controller same server

01.09.2008 at 08:53AM PST, ID: 20619801

Rank: Master

Firebar:

Alright, you have only one domain controller? Is tha domain controller the same machine that runs certificate services?

If so, then you need to remove certificate services. Once the root certificate expires for the DC on the CA, it's over...

01.09.2008 at 08:53AM PST, ID: 20619803

Rank: Sage

Pber:

The best way would be to delete the old certificate and then ensure autoenrollment of the DC certificate template is enabled and then reboot the DC.

First on the CA:
Load the certificate template MMC
(Start run, MMC, File Add/Remove Snap-in, Add, Certificates Templates, Add, Close, OK)
Find the Domain Controller Authentication template and double click
Select the Security TAB
find the domain Controllers entry and make sure Enroll and Autoenroll is checked in the permissions
Click OK.

Next on the DC:
Load the Certificates MMC and then target it at the computer account.
(Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
Expand the Certificates (Local Computer) and then the Personal subfolder, then the certificate folder.
Ensure that the certificate is expired and is using the Domain Controller template.
If so, delete it.

Reboot. The DC should request a new certificate.

Assisted Solution

01.09.2008 at 08:59AM PST, ID: 20619881

Rank: Sage

Pber:

Firebar makes a good point, Is this your Client/Server Authentication certificate (i.e. Domain Controller Template) or is this your CA's certificate? If it's the CA's certificate and it's the root, as Firebar mentioned, you are done. You need to re-install.

01.09.2008 at 10:25AM PST, ID: 20620714

ebetancourth:

Hello Pber,
I follow your steps with no sucess. I resolved the problem by creating the cert manually thru Local Computer. (Right Click Certificates > All Tasks > Create New Request.

01.09.2008 at 11:36AM PST, ID: 20621439

Rank: Sage

Pber:

That would work to.

Does the CA have the Domain Controller template defined in its Certificate Template folder?

Also check the properties of the Policy Module TAB of the CA. The Request Handling needs to be set to "Follow the settings in the certificate template"

Both items above are in the CA MMC

Assisted Solution

01.09.2008 at 11:41AM PST, ID: 20621513

Rank: Sage

Pber:

See these as well:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
http://technet2.microsoft.com/windowsserver/en/library/d08181ca-4fac-4ca7-8171-b66e9e65606e1033.mspx?mfr=true

Assisted Solution

01.09.2008 at 11:48AM PST, ID: 20621595

Rank: Sage

Pber:

Actually I think I missed one thing, you need to turn on autoenrollment in GPO.

Load the GPO for your DC's. By default "Default Domain Controller Policy"

go here:

Computer Configuration, Windows Settings, Security Settings, Public Key Policies

Select the Autoenrollment Settings and Select the "Enroll certificates automatically"
Wait for replication, do a gpupdate /force on the computer.

Reboot the DC and now it should have the new Certificate.

Accepted Solution

20080236-EE-VQP-29 / EE_QW_2_20070628