Blog Post

ITOps Talk Blog
6 MIN READ

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

AnthonyBartolo's avatar
AnthonyBartolo
Icon for Microsoft rankMicrosoft
Dec 27, 2018
Support for both Windows Server 2003 and 2003 R2 ended on July 14 th , 2015, and yet there are still several organizations operating their businesses on it. There are still a vast number of IT profes...
Updated Jul 09, 2021
Version 13.0
anthony bartolo
Windows Server
sabasigh's avatar
sabasigh
Copper Contributor
Jan 29, 2020

I used this process to go from 2003 to 2016 and the main issue i'm having right now is my Domain controllers are saying:

 

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

We're only really generating machine certificates for IAS authentication and from a member server i was able to request a new cert.

 

But my Domain controllers all have the error and on certutil -verify i get:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)

Any help is appreciated!