?
Solved

Certificate for local system expired - Event ID 64

Posted on 2012-08-29
11
Medium Priority
?
11,176 Views
Last Modified: 2014-02-24
I am getting an error on one of my domain controllers. It is a Windows 2008 server.

Event ID 64

CertificateServicesClient-AutoEnrollment

Certificate for local system with Thumbprint f1 fd c8 e3 af ef 2f 2a c1 ea f0 d5 1c 70 04 e7 31 55 e8 32 is about to expire or already expired.

Basically I have tried to renew the certificate but the server it was issued by does not exist anymore.

How do I go about issuing a new / replacement certificate?

Thanks for your help
0
Comment
Question by:mmcodefive
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:James Haywood
ID: 38349100
If the CA that originally issued the cert is no longer available then you will need to build a new CA.

Do you actually need a certificate for this server? If there are no services requiring certs then building a complete new CA is not necessary (unless you want to?).
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38349552
Build and Deploy the Root Certificate Authority
http://technet.microsoft.com/en-us/library/cc501466.aspx

Install Certificate Services on Windows Server 2008 R2
http://d3planet.com/rtfb/2009/11/10/install-certificate-services-on-windows-server-2008-r2/

Installing And Configuring Certificate Services On Windows Server 2008 Part II
http://www.lockergnome.com/uncategorized/2008/03/17/installing-and-configuring-certificate-services-on-windows-server-2008-part-ii-2/

Install a Root Certification Authority
http://technet.microsoft.com/en-us/library/cc731183.aspx

- Rancy
0
 
LVL 6

Author Comment

by:mmcodefive
ID: 38350589
hhaywood / Rancy  - I dont think I need SSL services but all my domain controllers have SSL certs installed on them that point to my dead server. Can I delete the certs or am I safer creating an authority and then pointing my domain contollers over to it?

Thanks
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38350773
I safer creating an authority and then pointing my domain controllers over to it? -- I would like to create a New CA and point to it before doing anything as it should break the functionality.

- Rancy
0
 
LVL 6

Author Comment

by:mmcodefive
ID: 38363536
I installed my new certificate authority. How do I point my DC's over to use it? Also do I just delete the expired certificate that is pointed to the old non existant DC?

Thanks for your help
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39840616
delete the older certs and create new requests and install the new certs
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 39840773
http://vimeo.com/35053082  watch the video to make sure you have it setup correctly
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 39841611
Just asking you a simple question.
Have you configured any application that is setting up SSL LDAP connection (TCP 636) to your DC ?
I guess not.
In that case You can simply delete all old expired certificate from all domain controllers pointing to old CA server.

Ensure that you have installed new AD integrated enterprise root CA so that it can take care of all domain controllers and will automatically enrol domain controller certificate.
If your AD replication is running properly, then CA configuration will be replicated to all DCs without any issue then just reboot all domain Controllers one by one so that they will install DC certificate on them automatically after reboot.
even if its not installed automatically, you can request one if required

if you have any application that using SSL LDAP then,
Then you need to openup mmc console on domain controller and add certificate snap ins for local service and there you need to select active directory as a service and add new certificate there
http://support.microsoft.com/kb/321051 

Then You can simply delete all old expired certificate from all domain controllers pointing to old CA server.

Mahesh
0
 
LVL 6

Author Comment

by:mmcodefive
ID: 39883344
I needed CA services before and now I don't. I did some review and I don't even have the role installed. I am going to award points for your help.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question