Hello,
I'm currently dealing with the following scenario:
1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
2. The current setup:
a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority. It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time. It also has an expired certificate for
itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller. We'll call the server, DC1.
b. Certificate Authority Server, we'll call it CERT1. When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).
Note: The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A. Attempts to renew it fail.
(The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0 however an upgrade wasn't done and it's not old versions of Windows.)
c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown. I've powered it up and the machine is not part of the domain.
Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
Thanks!