Domain Controller Certificate Problem
We are running a Windows 2000 domain with several domain controllers. We have an Enterprise CA (also Windows 2000, Standard Edition). Our root CA certificate expired Friday, 5/28. We renewed the root CA certificate about an hour ago, and all of our DC's except for one renewed their certs with no issues. The one DC that is being problematic doesn't appear to have attempted to renew, and has an event from 5/28, shortly before the old certificate expired, that says:
Winlogon, Event ID 1011
The certificate returned from an auto-enrollment is incorrect. Subsequent auto-enrollment cycles will ignore reasons for failure. Please contact your system administrator. The reasons for failure are listed below:
The certificate is no longer trusted for the following reason (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
----
We have tried rebooting, and forcing a group policy refresh, but neither seem to have any affect. Any suggestions?
Winlogon, Event ID 1011
The certificate returned from an auto-enrollment is incorrect. Subsequent auto-enrollment cycles will ignore reasons for failure. Please contact your system administrator. The reasons for failure are listed below:
The certificate is no longer trusted for the following reason (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
----
We have tried rebooting, and forcing a group policy refresh, but neither seem to have any affect. Any suggestions?
Just out of curiosity, is the date/time correct on the problematic DC?
ASKER
Yes, date/time is the exact same on all DC's.
And if you have not seen it: http://support.microsoft.com/kb/822626
ASKER
I should add 2 more things:
First, the second part of the message "The certificate is no longer trusted for the following reason (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." appeared on all the DC's, before re-enrollment. Makes sense, the cert is about to expire. The first part, referencing "The certificate returned from an auto-enrollment is incorrect." only appeared on this one.
Second, we've verified on the CA, and in the computer certificate store local to the DC, that no certificate has been issued.
First, the second part of the message "The certificate is no longer trusted for the following reason (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." appeared on all the DC's, before re-enrollment. Makes sense, the cert is about to expire. The first part, referencing "The certificate returned from an auto-enrollment is incorrect." only appeared on this one.
Second, we've verified on the CA, and in the computer certificate store local to the DC, that no certificate has been issued.
Is the domain controller's computer object in the correct OU?
Any Group Policy processing errors in the log?
Any Group Policy processing errors in the log?
ASKER
Yes, OU is good. Last event on GP from an hour ago: Security policy in the Group policy objects has been applied successfully.
I would try requesting the certificate for a domain controller manually from MMC and then reboot the server.
ASKER
We tried "renew the certificate" from the Personal Store in the certificates MMC, but got an error with the same text about date/time.
Can you verify that the Root cert certificate on the domain controller in question is also the renewed one. It is possible, that the client does not have the latest Root cert of the CA?
MMC, Snapin certificates, My Computer, "root certification authority" tab, check if you have the latest Root cert certificate.
MMC, Snapin certificates, My Computer, "root certification authority" tab, check if you have the latest Root cert certificate.
ASKER
Yes, we checked and it does in fact have the new certificate.
How about just requesting a new domain controller certificate through MMC instead of renewing the certificate in question?
Just one more thought, can you try running netdiag on the domain controller, is it okay?
ASKER
When you say requesting a new domain controller certificate, what steps do you suggest? We tried computer certificates > personal > renew, but got the error mentioned above. Is there somewhere else?
As for netdiag, all tests passed.
As for netdiag, all tests passed.
try MMC computer certificates > personal, right click on personal, select all tasks - > request new certificate.
ASKER
Yup, that's what we did. No go - got the error referencing invalid time/date listed above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting find! This is exactly what's happening - although it's odd that all the other DC's renewed without a problem, but I'm not complaining!
I don't see any automatic attempts for renewal on the CA that failed, but I do see my manual attempt in failed requests.
Now - the big question - if we request a new cert, instead of renewing, what impact will that have? Any no, no smart cards
I don't see any automatic attempts for renewal on the CA that failed, but I do see my manual attempt in failed requests.
Now - the big question - if we request a new cert, instead of renewing, what impact will that have? Any no, no smart cards
ASKER
Sorry, hit submit too fast - sorry, no smart cards or LDAPS.
ASKER
We went through the "request new certificate with same key" this morning, and it seemed to work perfectly.
Thanks!
Thanks!
Great, i'm glad i could help :)
Now - the big question - if we request a new cert, instead of renewing, what impact will that have?
If you had some information encrypted with that certificate or for that certificate you couldn't decrypt it, that would be the main impact.
Now - the big question - if we request a new cert, instead of renewing, what impact will that have?
If you had some information encrypted with that certificate or for that certificate you couldn't decrypt it, that would be the main impact.