Howto renew an expired domain controller certificate?
How to renew an expired cert on a windows 2003 Domain controller. Howto check for autoenrollment and force autoenrollment.
ASKER
Let me clarify one important point. AD / Domain Controller same server
Alright, you have only one domain controller? Is tha domain controller the same machine that runs certificate services?
If so, then you need to remove certificate services. Once the root certificate expires for the DC on the CA, it's over...
If so, then you need to remove certificate services. Once the root certificate expires for the DC on the CA, it's over...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Firebar makes a good point, Is this your Client/Server Authentication certificate (i.e. Domain Controller Template) or is this your CA's certificate? If it's the CA's certificate and it's the root, as Firebar mentioned, you are done. You need to re-install.
ASKER
Hello Pber,
I follow your steps with no sucess. I resolved the problem by creating the cert manually thru Local Computer. (Right Click Certificates > All Tasks > Create New Request.
I follow your steps with no sucess. I resolved the problem by creating the cert manually thru Local Computer. (Right Click Certificates > All Tasks > Create New Request.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pber, thanks for your solution.
Additionally if you need to renew a certificate before its expiration date, then (according to Pber solution above):
1. Load the Certificates MMC and then target it at the computer account:
'Start' -> 'Run' -> 'MMC' -> 'File' -> 'Add/Remove Snap-in' -> 'Add' -> 'Certificates' -> 'Add' -> 'Computer Account' -> 'Next' -> 'Finish' -> 'Close' -> 'OK'
2. Expand: 'Certificates (Local Computer)' -> 'Personal' -> 'Certificates'.
3. Right click on the 'Domain Controller certificate' -> 'All tasks' -> 'Renew/Request Certificate with New/Same Key' -> 'Next' -> 'Yes' (to keep default key settings) or 'No' (to enter new values) -> 'Next' -> choose Key Length (recommended at least 2048) -> 'Next' -> 'Next' -> 'Finish'.
Additionally if you need to renew a certificate before its expiration date, then (according to Pber solution above):
1. Load the Certificates MMC and then target it at the computer account:
'Start' -> 'Run' -> 'MMC' -> 'File' -> 'Add/Remove Snap-in' -> 'Add' -> 'Certificates' -> 'Add' -> 'Computer Account' -> 'Next' -> 'Finish' -> 'Close' -> 'OK'
2. Expand: 'Certificates (Local Computer)' -> 'Personal' -> 'Certificates'.
3. Right click on the 'Domain Controller certificate' -> 'All tasks' -> 'Renew/Request Certificate with New/Same Key' -> 'Next' -> 'Yes' (to keep default key settings) or 'No' (to enter new values) -> 'Next' -> choose Key Length (recommended at least 2048) -> 'Next' -> 'Next' -> 'Finish'.
The only way I know to do this would be to remove the specific machine as a domain controller from Active Directory