CA expiring on Server 2008 R2

I have a Server 2008 R2 server with ADCS. Last April, I replaced the Server 2003 CA (and DC) server and migrated the CA to the 2008 R2 server (also DC). It has the same machine name and I did not create a new CA when I migrated. The following errors recently appeared in the application log:

Source: CertificationAuthority
Event ID: 77
The "Windows default" Policy Module logged the following warning: The Active Directory connection to COMPUTER.DOMAIN.Local has been reestablished to COMPUTER.DOMAIN.Local.

Source: CertificationAuthority
Event ID: 53
Active Directory Certificate Services denied request 11 because The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed. 0x80094814 (-2146875372).  The request was for CN=COMPUTER.DOMAIN.Local.  Additional information: Denied by Policy Module  Renewing a certificate with the DomainController Certificate Template failed because the renewal overlap period is longer than the certificate validity period.

Looking in the MMC, the CA Certificate expires 1/28/2012. There are also 2 Basic EFS Certificates.

Should I renew the current certificate or create a new one? Can you direct me to step-by-step instructions for the preferred solution?

Thanks.
fisher_kingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ghodderCommented:
You should renew the existing CA certificate. Any newly granted certificates will be based off it and the CA will automatically begin validating against the new CA certificate once the old one expires
0
fisher_kingAuthor Commented:
Thanks for the reply.

From within the ADCS MMC, do I just right-click on the server, select All Tasks, then Renew CA Certificate?
0
ghodderCommented:
The steps would be

Login to CA server
Open Certification Authority MMC
Right-click your CA server name in the left tree
Open "All Tasks"
Select "Renew CA certificate"
You will be prompted that Certificate Services needs to stop, click OK
Follow the wizard which will restart Certificate Services at the end

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ghodderCommented:
Once that process is complete, if you right-click the server and go to properties you will see that you now have 2 CA certificates, and if you look at the details tab of the new certificate you should see that "Previous CA Certificate Hash" matches the "Thumbprint" value in the details of the older certificate meaning the newer certificate can validate certificates generated by the older CA certificate.
0
fisher_kingAuthor Commented:
Thank you very much for the prompt replies and the clear instructions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.