0

I bluntly created a PKI Server (AD CS) that sits inside the Domain.

My Domain Controllers got a DomainController Certificate from it.

After that I thought that it would be better, to create a Root CA that isn't in the domain, and a subordinate CA that sits inside the domain.

So I needed to uninstall my first PKI Server, I followed the following guide from Microsoft. (Basically removing PKI Server and all AD Objects that belong to PKI)

After doing that, I followed this video to create a multi-tier PKI structure. This worked well, I got it up and running, and it creates certificates for my computers and my users. It also correctly sits in my Active Directory Public Key Services, AIA, CDP etc.

The problem now is: My Domain Controllers do not request a certificate from my new PKI Server. If I go to their Cert:\LocalMachine\My They still have a DomainController Cert from my old PKI Server.

My questions are:

  • Why don't they automatically get a certificate from my new PKI Server?
  • How do I force them to get a certificate from new PKI Server?
  • Can I delete the old certificate in their Cert store?

DCs are Server Core 2019, PKI is Server 2022

SimonS
  • 785
  • 4
  • 14
  • 29
  • Is there some service which relies on these DC certs? If not, simply delete it in `Cert:\LocalMachine\My` and as long as autoenrollment is correctly set up, it will enrol for a new certificate at some point later. – garethTheRed Sep 01 '23 at 17:58
  • @garethTheRed Jup, as easy as it gets. Thank you :)! – SimonS Sep 01 '23 at 18:40

0 Answers0