Hopefully someone can help me with this ADCS question.
Some years ago we needed a certificate server to implement a Wireless Network using WPA2 Enterprise Security.
This was implemented with an Enterprise Root CA on a DC and a subordinate CA on another DC.
We have 11 DC's across 4 states in 3 domains 2 in the root domain and 1 each in each state in each child domain.
Recently I migrated our Enterprise Root CA to Server 2016 from 2008 R2.
The only use being made of the CA's is for Wireless Security.
Following the migration procedure the old CA service was removed from the old DC before the new CA service was installed on the New DC. The new DC name changed but the Root CA name has not.
The Certificate database was exported and imported and certificates appear to be being issued.
What I don't understand is firstly.
Why do all the Domain controllers get a new certificate everyday for , Email Replication, Authentication, Kerberos and others?
Secondly I am getting errors in the event logs of the severs saying that the revocation function was unable to check revocation because the revocation server was offline, and that's true the old Root CA is removed from the domain and off.
When looking at the certificate information I can see the CRL distribution point is the old CA.
Any certificate with a expiration date after a certain date has the new CA as the CRL distribution point.
Currently each DC has around 1400 certificates in the private certificate store, as I said they just keep getting new certificates everyday with Expiration dates 1 day further into the future.
The old certificates will eventually expire so can I just delete them so they don't attempt to renew and give the CRL error in the event logs.
Nothing seems to be non functioning at the moment but I just don't know what effect it will have.
I have seen in TechNet how to disable revocation checks but is that the best idea?
Any help appreciated, I have been on this for days.
Needless to say I do very little work with PKI.