Certificate for local system expired - Event ID 64

I am getting an error on one of my domain controllers. It is a Windows 2008 server.

Event ID 64

CertificateServicesClient-AutoEnrollment

Certificate for local system with Thumbprint f1 fd c8 e3 af ef 2f 2a c1 ea f0 d5 1c 70 04 e7 31 55 e8 32 is about to expire or already expired.

Basically I have tried to renew the certificate but the server it was issued by does not exist anymore.

How do I go about issuing a new / replacement certificate?

Thanks for your help
LVL 6
mmcodefiveAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
Just asking you a simple question.
Have you configured any application that is setting up SSL LDAP connection (TCP 636) to your DC ?
I guess not.
In that case You can simply delete all old expired certificate from all domain controllers pointing to old CA server.

Ensure that you have installed new AD integrated enterprise root CA so that it can take care of all domain controllers and will automatically enrol domain controller certificate.
If your AD replication is running properly, then CA configuration will be replicated to all DCs without any issue then just reboot all domain Controllers one by one so that they will install DC certificate on them automatically after reboot.
even if its not installed automatically, you can request one if required

if you have any application that using SSL LDAP then,
Then you need to openup mmc console on domain controller and add certificate snap ins for local service and there you need to select active directory as a service and add new certificate there
http://support.microsoft.com/kb/321051 

Then You can simply delete all old expired certificate from all domain controllers pointing to old CA server.

Mahesh
0
 
James HaywoodCommented:
If the CA that originally issued the cert is no longer available then you will need to build a new CA.

Do you actually need a certificate for this server? If there are no services requiring certs then building a complete new CA is not necessary (unless you want to?).
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Build and Deploy the Root Certificate Authority
http://technet.microsoft.com/en-us/library/cc501466.aspx

Install Certificate Services on Windows Server 2008 R2
http://d3planet.com/rtfb/2009/11/10/install-certificate-services-on-windows-server-2008-r2/

Installing And Configuring Certificate Services On Windows Server 2008 Part II
http://www.lockergnome.com/uncategorized/2008/03/17/installing-and-configuring-certificate-services-on-windows-server-2008-part-ii-2/

Install a Root Certification Authority
http://technet.microsoft.com/en-us/library/cc731183.aspx

- Rancy
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
mmcodefiveAuthor Commented:
hhaywood / Rancy  - I dont think I need SSL services but all my domain controllers have SSL certs installed on them that point to my dead server. Can I delete the certs or am I safer creating an authority and then pointing my domain contollers over to it?

Thanks
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
I safer creating an authority and then pointing my domain controllers over to it? -- I would like to create a New CA and point to it before doing anything as it should break the functionality.

- Rancy
0
 
mmcodefiveAuthor Commented:
I installed my new certificate authority. How do I point my DC's over to use it? Also do I just delete the expired certificate that is pointed to the old non existant DC?

Thanks for your help
0
 
David Johnson, CD, MVPOwnerCommented:
delete the older certs and create new requests and install the new certs
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
http://vimeo.com/35053082  watch the video to make sure you have it setup correctly
0
 
mmcodefiveAuthor Commented:
I needed CA services before and now I don't. I did some review and I don't even have the role installed. I am going to award points for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.