CircleTilde
IS-IT--Management
Hi,
We recently came across a problem a couple of days ago when we noticed that upon terminal serving into any of our domain controllers (we have 7 - one at each site), we get an error stating the certificate has expired. Nearly all of our servers are 2003 R2. We just put in two new servers with 2008 R2. The two new servers will be replacing our domain controller here in our building, as well as another server which runs the Certificate Authority.
I had already started rolling over software and services onto the new servers, one of them being the CA role. But this was a few months ago that I did that. I did not shut down the CA role on the other 2003 R2 server, so we technically have two CA's running at the moment.
Anyways, the domain controller certificates for all of our domain controllers (except the new 2008 server) have expired, and did not auto-renew. I checked in GPO that they were supposed to auto-renew.. but they didn't. They all do however, have the certificate "Domain Controller Authentication", which was passed on to them from the new 2008 CA server.
Strangely, I installed a new "Domain Controller" certificate on ALL of the domain controllers from the 2008 CA server, thinking that would fix the problem, but for whatever reason, they continually disappear from the Personal certificates folder of the DC's. They do, however, still show up that they've been issued within the 2008 CA server.
I've read a couple of possible fixes here and there, but so far nothing has worked. One method I tried was to delete all of the DC certs from the server, and restart it. But even though it picked up the new certificats upon reboot, it still seems to be holding the expired certificate in memory somewhere.
I also read something about downgrading the servers as a DC status, restarting, and then readding them as a DC. To be honest, that's a little scary to me, considering these are production servers.
Any thoughts on how I can get this issue fixed?
We recently came across a problem a couple of days ago when we noticed that upon terminal serving into any of our domain controllers (we have 7 - one at each site), we get an error stating the certificate has expired. Nearly all of our servers are 2003 R2. We just put in two new servers with 2008 R2. The two new servers will be replacing our domain controller here in our building, as well as another server which runs the Certificate Authority.
I had already started rolling over software and services onto the new servers, one of them being the CA role. But this was a few months ago that I did that. I did not shut down the CA role on the other 2003 R2 server, so we technically have two CA's running at the moment.
Anyways, the domain controller certificates for all of our domain controllers (except the new 2008 server) have expired, and did not auto-renew. I checked in GPO that they were supposed to auto-renew.. but they didn't. They all do however, have the certificate "Domain Controller Authentication", which was passed on to them from the new 2008 CA server.
Strangely, I installed a new "Domain Controller" certificate on ALL of the domain controllers from the 2008 CA server, thinking that would fix the problem, but for whatever reason, they continually disappear from the Personal certificates folder of the DC's. They do, however, still show up that they've been issued within the 2008 CA server.
I've read a couple of possible fixes here and there, but so far nothing has worked. One method I tried was to delete all of the DC certs from the server, and restart it. But even though it picked up the new certificats upon reboot, it still seems to be holding the expired certificate in memory somewhere.
I also read something about downgrading the servers as a DC status, restarting, and then readding them as a DC. To be honest, that's a little scary to me, considering these are production servers.
Any thoughts on how I can get this issue fixed?