Need to rename certificate server w2k3

[zmag2linux]

I have a W2k3 member server running certificate services. The computer account got deleted from A.D but we were able to do an authoritative restore and get the account back. I can log on to the domain now but i getting lots of errors that the computer account can not be authenticated. The simple fix would be to remove and re-add to the domain, but since this is a certifate server i must uninstall cert services first.Looking at the published certs i see only certs leased to the other a.d servers in my domain. I realize that if/when i remove and readd this computer all the certs will be useless, i would like to know if all the servers that have certs will just pull new ones. Perhaps i should install cert services on another server (one of my a.d servers). I have read up what i can find on certs but i can find nothing about a cert server crash.Any help or even pointers to white papers would be great.

 

[theravager]

netdom can reset the machine and the ad computer password which should fix your issue.

Basically the password the computer has is different to the account password which would be computername$ (off memory).

Once they are set to the same it should all be good

 

[zmag2linux]

Thanks much. I will log on and try that now.

 

[zmag2linux]

Thanks, but no luck.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

H:\>netdom resetpwd /server:server01 /userd:mydomain.com\user /passw
ordd:*
Type the password associated with the domain user:

The machine account password for the local machine could not be reset.

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

 

[theravager]

Are you running it on the machine with the issue?

The server is a domain controller and the user/pass is a domain admin account.

If its not working i suspect you have a network issue or the machine you are running it on you are not a local admin.

 

[zmag2linux]

I am running it on a domain controller, not the machine with the issue. That one is a member server. I have no network issues and i am an admin, the issue is machine name kerberos authentication. According to windows help guides, i should remove and rejoin the domain, brings me back to my original problem of this machine being a certificate server.

 

[theravager]

It has to be done on the local machine with the issue. The server referenced in the command a Domain Controller.

What it does is :-

1. Reset local machines password to the default
2. Connect to Domain Controller in AD and reset the Computer account that has the same name is the local hostname. The domain contoller contacted is the one specified in the command and the account used is the one referenced.

3. When you reboot the accounts are synced and the secure channel is established.


So for 2, the account used must have the AD rights, ie domain admin.

and for 1, the account used must have local admin rights to be able to edit the local machine. If you are logged on as a cached domain account it probibly wont work as the secure channel to authenticate is broken.

 

[zmag2linux]

Thanks for the info, but i ran this locally and from a domain controller, my account is domain admin, and i have run this for other servers with success. The event log shows;
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5805
Date: 4/23/2008
Time: 3:52:57 AM
User: N/A
Computer: CHIADS01
Description:
The session setup from the computer CHIMGT01 failed to authenticate. The following error occurred:
Access is denied.

CHIMGT01 is the server with issues.CHIADS01 is one of my AD servers

 

[zmag2linux]

I could still use some help. I did uninstall the certificate service. The only certs that were valid were all from my other A.D servers in my domain. I followed the steps to revoke these certs and cleanly unistall the service.
I was able to rejoin the domain as needed but i am looking for information about the cert service, specifically, does Active Directory need to have a local cert server in the domain?
Basically, the cert server computer account was invalid for 5 days before I disjoined it, and it has been running for another 4 days since without any problems that i can see.
Is there some way i can check if the other ad servers that pulled certs might be using them for something? Any help appreciated.