Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.
Check
This applies to domain controllers. It is not applicable for other systems.
Run "MMC".
Select "Add/Remove Snap-in" from the "File" menu.
Select "Certificates" in the left pane, and then click "Add >".
Select "Computer Account", and then click "Next".
Select the appropriate option for "Select the computer you want this snap-in to manage", and then click "Finish".
Click "OK".
Select and expand the "Certificates (Local Computer)" entry in the left pane.
Select and expand the "Personal" entry in the left pane.
Select the "Certificates" entry in the left pane.
If no certificate for the domain controller exists in the right pane, this is a finding.
Fix
Obtain a server certificate for the domain controller.