No announcement yet.

Server 2008 R2 DC Cert expired

  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2008 R2 DC Cert expired

    I have a Server 2003 CA and 2 Server 2008 R2 Domain Controllers. I am getting the Warning on the DCs (Event ID 64) that the Certificate is expired. I try and renew the certificate and I get an Error (Event ID 16) about the "The signature of the certificate cannot be verified". My AD is working fine but i would like to clean this up and renew the Cert. I also have Auto-Enroll and Renew enable so not sure why it didn't renew. Any help would be greatly appreciated.

  • #2
    Re: Server 2008 R2 DC Cert expired

    You may have to do a little fudging with time to solve this one. You're trying to renew the root domain certificate, but you have to have a valid root domain cert to do it. Can't remember how we found it, but we had the same problem recently. Trick was to set the clock back on the CA server and the requesting client to a date/time BEFORE the certificate expired, then request/issue a renewal. Do it for at least a few years. Once approved, reset clocks back to current time.

    Once the new cert is in place, you'll prob. have to restart your DCs as a minimum. The KDC gets its cert from the domain, but at startup. So to refresh the KDC domain cert, you'll have to at least restart that service. Better to just restart the server, just in case.
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **