I've been the system admin for two years at my company, following my predecessor who didn't leave me much documentation before he retired. We're using two domain controllers, DC A and DC B, where DC A has all the important services, including the SSL cert that just expired. I renewed it through Digicert and created a new CSR, but I messed up during the process and deleted the old certs way too soon. Now, ADFS is throwing error 1064 and won't start because it seems to be searching for the old cert. I've tried reinstalling the old cert (but lacked its private key), and the event viewer is giving me a bunch of error codes. I'm in a bit of a bind here. Is there a way to update the cert without ADFS running, or should I be restoring from a backup? Also, we're using LDAP only for a single instance of KnowBe4 that I'll be deprecating soon. Should I just leave things as they are while I transition?
5 Answers
It sounds like you're dealing with a gMSA issue related to that error 1064. I’d double-check if there were any permission changes along the way. As for services on your DC, it might be a good idea to consider splitting those off to reduce risk.
Just a heads-up: you probably shouldn't be generating a new CSR for a simple renewal. Always keep the old certs around during troubleshooting; it gives you a safety net to retrace your steps if needed.
It's my first time dealing with AD certs. I followed Digicert's docs, which said to generate a CSR and then reissue with it. Guess I'll be a bit more cautious next time!
Your major issue is trying to run all these services on a domain controller. I can't provide much help beyond that, but ideally, you'll want those services on separate servers for better stability.
Honestly, the lack of documentation left behind is concerning and could be seen as sabotage. Running Active Directory Certificate Services on a DC isn’t advised. Given the situation, I think it's best to bring in an expert because your AD setup seems pretty precarious right now.
Domain controllers should primarily handle AD and DNS—everything else should be on dedicated servers. I suggest shutting down DC B, restoring DC A, cleaning up AD metadata, and then setting up DC B cleanly. Look into moving extra services off the DC to maintain proper function and security.
No permissions changed, I just got a bit ahead of myself deleting the old cert. ADFS is still showing that error with the 249, 102, and 381 events in the viewer.