joey5630
asked on
Domain Controller Certification authority problem
We recently upgraded our 3 old Windows 2008 domain controllers to Windows 2012. The old main domain controller was called Sale-fs2. After the upgrade we are receiving errors on some of our servers, Schannel Event ID 36881 which states that the certificate received from the remote server has expired. When I go on to the new Windows 2012 domain controller which is called Sale-DC1 and go to the 'Trusted Root Certification Authorities' and click on certificates there is a certificate called 'Sale-fs2' which has expired. Now my question is, is it OK to delete this certificate or should there be one in here for the new primary domain controller called Sale-DC1. If I need one for Sale-DC1 how do I create it?
Many thanks
Many thanks
ASKER
Not getting event id 13 errors. Where do I check for the Certsvc_dcom_access group?
It is in the ADUC users it might be in the builtin.
When you try to enroll the DC for the certificate does it get issued?
If you upgraded, how or when did you change the name?
Wen you see the certificate did you try to renew it in the interface? Certificate system/service?
When you try to enroll the DC for the certificate does it get issued?
If you upgraded, how or when did you change the name?
Wen you see the certificate did you try to renew it in the interface? Certificate system/service?
ASKER
OK the new SALE-DC1 is in the Certsvc_dcom_access group. Bit confused about enrolling the DC for the certificate, where do I do that.
When we upgraded we built 3 new 2012 DC's and had them running alongside the 3 old Windows 2008 DC's. Once we were happy and transferred all the roles over we DCPromo'd the old Windows 2008 DC's. We cannot renew the certificate because it belongs to the old Windows 2008 DC called SALE-FS2 which does not exist anymore.
Do I need to create a new certificate for the new DC1 and how do I do that.
When we upgraded we built 3 new 2012 DC's and had them running alongside the 3 old Windows 2008 DC's. Once we were happy and transferred all the roles over we DCPromo'd the old Windows 2008 DC's. We cannot renew the certificate because it belongs to the old Windows 2008 DC called SALE-FS2 which does not exist anymore.
Do I need to create a new certificate for the new DC1 and how do I do that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The DC should have obtained a new certificate unless the CA is no longer available or when you created the DC you did not place it into the CERTSVC_DCOM_ACCESS group.
Look through the event log, do you have an event ID:13 for certificate autoenroll error?
https://www.experts-exchange.com/questions/22127688/Where-is-CERTSVC-DCOM-ACCESS-group.html