Domain Controller Certification authority problem

We recently upgraded our 3 old Windows 2008 domain controllers to Windows 2012. The old main domain controller was called Sale-fs2. After the upgrade we are receiving errors on some of our servers, Schannel Event ID 36881 which states that the certificate received from the remote server has expired. When I go on to the new Windows 2012 domain controller which is called Sale-DC1 and go to the 'Trusted Root Certification Authorities' and click on certificates there is a certificate called 'Sale-fs2' which has expired. Now my question is, is it OK to delete this certificate or should there be one in here for the new primary domain controller called Sale-DC1. If I need one for Sale-DC1 how do I create it?

Many thanks
Who is Participating?
arnoldConnect With a Mentor Commented:
Do you still have a functional CA? You need to update your GPO to point to the new CA for enrollment.
Look at the old Certificate, what is the path? The top reference is the CA while anything between the top and the bottom are the intermediate/subordinate CAs if any.
Is your CA still functional following the updates?
The DC should have obtained a new certificate unless the CA is no longer available or when you created the DC you did not place it into the CERTSVC_DCOM_ACCESS group.

Look through the event log, do you have an event ID:13 for certificate autoenroll error?
joey5630Author Commented:
Not getting event id 13 errors. Where do I check for the Certsvc_dcom_access group?
It is in the ADUC users it might be in the builtin.
When you try to enroll the DC for the certificate does it get issued?
If you upgraded, how or when did you change the name?

Wen you see the certificate did you try to renew it in the interface? Certificate system/service?
joey5630Author Commented:
OK the new SALE-DC1 is in the Certsvc_dcom_access group. Bit confused about enrolling the DC for the certificate, where do I do that.
When we upgraded we built 3 new 2012 DC's and had them running alongside the 3 old Windows 2008 DC's. Once we were happy and transferred all the roles over we DCPromo'd the old Windows 2008 DC's. We cannot renew the certificate because it belongs to the old Windows 2008 DC called SALE-FS2 which does not exist anymore.

Do I need to create a new certificate for the new DC1 and how do I do that.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.