Why did our domain trust break after decommissioning an old Certificate Authority server?

By
Anthony Fisher
-
0
9
Asked By TechieTurtle42 On

We had an old Active Directory Certificate Authority server that we planned to retire. A year ago, we set up a new CA server and confirmed it was handling all new certificate requests successfully. After ensuring everything was working fine for some time, we followed the Microsoft guidelines to properly decommission the old CA server. However, shortly after this, several computers began reporting issues with mapped drives and lost their domain trust—making it impossible to ping the domain or any Domain Controllers. The event logs showed errors related to not being connected to the domain, although deleting the affected computer objects and re-joining them resolved the issues. I'm trying to figure out what went wrong during this process, especially since we felt confident in following the correct procedures. Any insights would be appreciated!

3 Answers

Answered By CloudyMindset88 On

It sounds like the issue might be related to the machine certificates that were issued by the old CA. If those weren't replaced with new ones from the new CA, it could definitely break the AD trust connections. Just something to consider! You could handle this pretty easily with Group Policy on a larger scale, but switching CA servers is tricky business that often needs double-checking all the details.

Answered By NetGuru81 On

Have you checked for any specific errors on both the client devices and Active Directory? Look for anything related to Kerberos, especially Ticket Granting Ticket (TGT) issues. They can be tricky and sometimes lead to these kinds of authentication errors. You might find helpful guidance in Microsoft's troubleshooting documentation on Kerberos.

Answered By CuriousAdmin07 On

I think it might be just coincidence. Certificates aren't typically involved in AD authentication directly. If you verified that all certificate migrations were successful, the decommission of a CA shouldn't have caused a domain trust issue. It might be worth looking into whether your Domain Controllers are properly replicating, as sometimes authentication failures happen when they can't recognize the correct credentials due to replication problems.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.