question

IanPerry-2934 avatar image
0 Votes"
IanPerry-2934 asked MarileeTurscak-MSFT answered

Is it normal that Azure AD Connecy Sync doesn't delete expired certificates?

We've been getting event 64 on multiple domain controllers looking like this: May 26 04:00:44 <DC NAME> MSWinEventLog 2 Application 50 Tue [user.emerg] May 26 04:00:30 2020 64 Microsoft-Windows-CertificateServicesClient-AutoEnrollment N/A N/A Warning <DC NAME>.internal.<DOMAIN>.com None Certificate for local system with Thumbprint d1 1b 68 2b 53 75 21 46 44 da f9 dc b2 25 22 48 ab 42 86 61 is about to expire or already expired. 40 After using: Get-ChildItem Cert:\ -Recurse | Where-Object {($_.Thumbprint -match "D11B68") -and ($_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2])} | Select-Object FriendlyName, NotAfter, Issuer, Thumbprint to locate the certificate, I get the following:

 FriendlyName NotAfter             Issuer                                              Thumbprint
 ------------ --------             ------                                              ----------
              3/7/2019 10:37:45 PM CN=Microsoft PolicyKeyService Certificate Authority D11B682B5375214644DAF9DCB2252248AB428661

Is it normal for these certificates to not be removed after expiration? If so, would it be safe to remove it or automate removal of these expired certs? Help is appreciated.

azure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Yes, once they expire they can sit there. You may need to remove them using a Powershell script like this one to clear them out. If they have similar names to existing ones then you

From the troubleshooting guide:

Reduce the number of certificate values on the on-premises AD object (15 or less) by removing values that are no longer in use by your organization. This is suitable if the attribute bloat is caused by expired or unused certificates. You can use the PowerShell script available here to help find, backup, and delete expired certificates in your on-premises AD. Before deleting the certificates, it is recommended that you verify with the Public-Key-Infrastructure administrators in your organization.

See also: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adsynctools




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.