Old certificates keep coming back RRS feed

  • Question

  • Just successfully migrated to new hardware (CB on both)  and removed the old server from DNS and system management. the old server certificates keep coming back to the SMS node under certificates and causing issues accessing the new DP. those are not custom certs, just the default that came when installing the previous server. 

    How do we prevent them from keep coming bak?

    Wednesday, July 29, 2020 5:24 PM

All replies

  • The certs under the SMS store for the local system are required for the client agent as they are part of the client's identity and provide it the ability to communicate securely for the site. They have nothing to do with the site server or any site roles.

    Why are you trying to delete them?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, July 29, 2020 7:12 PM
  • Once deleted and ccmexec restarted, the old certs no longer appear in the store, only the new ones. All USMT restore errors are no gone and we can restore user profiles. For some reason , the new PC tried to use the old decommissioned DP certs to access the new DP.
    Wednesday, July 29, 2020 8:19 PM
  • Right. As noted the certs are required. When you delete them, you delete the device's identity and it must recreate new ones to establish a new identity for the client. These are unrelated to DP certs or the DP in any way.

    It sounds like you are experiencing some other issue here.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, July 29, 2020 8:52 PM
  • When we migrate user profiles capture went fine however we could not restore, got an access denied to the SMP. Once I ran the process above everything started working as usual.
    Wednesday, July 29, 2020 10:27 PM
  • Were the profiles captured before or after the site migration?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, July 29, 2020 11:00 PM
  • After. It was the first time we did profile migration post site migration. I am actually running some restore right now, added a line to delete the SMS folder from the certificate store and restart the service, everything works without an issue. this is was the only way I could solve the issue

    Thursday, July 30, 2020 12:24 AM
  • Site migration is almost certainly the root culprit here -- something necessary for the computer associations is not being migrated which is not surprising since the clients themselves get new resource ID among other things and aren't truly themselves migrated.

    Just another reason not to use a migration unless you are absolutely must; e.g., the AD domain is completely changing. New hardware is *not* a good reason to perform a migration. 

    Jason | https://home.configmgrftw.com | @jasonsandys

    Sunday, August 2, 2020 6:39 PM