I'm getting the auto-enrollment error above not because of a configuration error but for the reason that the Root CA machine was taken out of service and disposed of! So the unable to contact is a true error. The machine no longer exists!
I have checked the expiration date of the certificate using certmgr in the AD servers (Three Windows 2008 server cluster) and I have found different expiring dates for the same certificate as described below.
Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
Active directory User Object > CONTOSO-CA (exp 17/05/2014)
We currently have an AD cluster conformed by three Windows server 2008 and no currently Certificate Authority role installed on any of them.
I also have seen using certmgr that all machines in the company have the certificate CONTOSO-CA in the following way:
Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
Active directory User Object > Not present
My question is, can I safely decommission the certificate? What will be the impact of this certificate (Active directory user object) expiring?
Thanks in advance