Domain Controller Certification authority problem

We recently upgraded our 3 old Windows 2008 domain controllers to Windows 2012. The old main domain controller was called Sale-fs2. After the upgrade we are receiving errors on some of our servers, Schannel Event ID 36881 which states that the certificate received from the remote server has expired. When I go on to the new Windows 2012 domain controller which is called Sale-DC1 and go to the 'Trusted Root Certification Authorities' and click on certificates there is a certificate called 'Sale-fs2' which has expired. Now my question is, is it OK to delete this certificate or should there be one in here for the new primary domain controller called Sale-DC1. If I need one for Sale-DC1 how do I create it?

Many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is your CA still functional following the updates?
The DC should have obtained a new certificate unless the CA is no longer available or when you created the DC you did not place it into the CERTSVC_DCOM_ACCESS group.

Look through the event log, do you have an event ID:13 for certificate autoenroll error?
joey5630Author Commented:
Not getting event id 13 errors. Where do I check for the Certsvc_dcom_access group?
It is in the ADUC users it might be in the builtin.
When you try to enroll the DC for the certificate does it get issued?
If you upgraded, how or when did you change the name?

Wen you see the certificate did you try to renew it in the interface? Certificate system/service?
joey5630Author Commented:
OK the new SALE-DC1 is in the Certsvc_dcom_access group. Bit confused about enrolling the DC for the certificate, where do I do that.
When we upgraded we built 3 new 2012 DC's and had them running alongside the 3 old Windows 2008 DC's. Once we were happy and transferred all the roles over we DCPromo'd the old Windows 2008 DC's. We cannot renew the certificate because it belongs to the old Windows 2008 DC called SALE-FS2 which does not exist anymore.

Do I need to create a new certificate for the new DC1 and how do I do that.
Do you still have a functional CA? You need to update your GPO to point to the new CA for enrollment.
Look at the old Certificate, what is the path? The top reference is the CA while anything between the top and the bottom are the intermediate/subordinate CAs if any.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.