My environment originally:
- Single Forest/Domain at 2003 functional level running on Windows 2008 x64 SP DCs
- Offline standalone root CA on Windows 2003
- Single subordinate Enterprise issuing Ca using SHA1 hashing on Windows 2003 Enterprise Edition
- All Cs auto-enrolled for a DomainController template and were issued it
Due to SHA2 migration requirements the following was introduced:
- Offline standalone root CA on Windows 2012 R2
- Single subordinate Enterprise issuing Ca using SHA2 hashing on Windows 2012 R2
Now, when all our DCs got to 6 weeks before their DomainController cert expiration date, the all naturally tried to renew. What happened was that half renewed against the original issuing CA with SHA1 (all kept same thumbprint/serial etc.) but the other half
got a new DominController cert from the new issuing CA with SHA2 i.e. they enrolled with the new issuing CA. This broke some legacy client application communication.
Since both issuing CAs have published their info into the configuration container, is this expected? I read on the PKI guide that if the client finds multiple CA registered it will use a random one. Is this what might have happened i.e. the DC looked up the config container, saw 2 CAs registered there and choose to use the new one.It couldn't renew against the new one so it re-enrolled and got a new DomainController cert?