Solved

Certificate error - Exchange server removes

Posted on 2012-04-03
5
863 Views
Last Modified: 2012-06-22
I began to see recurring App log and Sys log error entries over the weekend on Server4 and Server5, both DCs.

The App log entries are:

6 CertificateServicesClient-AutoEnrollment, Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

13 CertificateServicesClient-CertEnroll, Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from mailsvr.mydomain.com\CA Server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).  

The Sys log entries are:

10009 DistributedCOM, DCOM was unable to communicate with the computer mailsvr.mydomain.com using any of the configured protocols.

The server mailsvr.mydomain.com was decommissioned when Exchange was updated. I suspect there is a old cert referencing mailsvr but I don't know enough about certs to locate and remove it, don't want to screw up Exchange.

Just need to know where to look and find the old cert.  then I just delete it?

Thanks.
0
Comment
Question by:abpExpert
  • 4
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 37801911
Look in one your group policies, you probably want to disable automatic enrollment.  See if automatic enrollment is enabled via GPO.
http://technet.microsoft.com/en-us/library/dd851772.aspx

The old CA object is probably still in AD within AD Sites and Services:  http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=22
0
 

Author Comment

by:abpExpert
ID: 37803131
Thanks.

How do I find the object/reference/certificate and remove it to get rid of the errors?  ADSIEDIT?
0
 

Author Comment

by:abpExpert
ID: 37811930
Follow up to question:
In doing research, the server was removed from the environment and carved out.  It was an exchange server and issued a a still valid certificate.  I see the certificates reference in Sites and Services in the Public Key folder.  

Question is how to remove the references in Active Directory without impacting the environment negatively.  The other 2003 Server in the environment  is unable to load certificate services and the Certificate Authority console cannot load and cannot not be retargeted to the non existent mailsvr.mydomain.com
0
 

Accepted Solution

by:
abpExpert earned 0 total points
ID: 37844550
In Active Directory Sites and Services, Switched the view to Services Mode, and navigated to the Services->Public Key Services->AIA.
As you can see the CA in question (CA Server) was still listed. This was a old CA on the svr.mydomain.COM server that has since been removed. Removed this instance as well as the other listings that were in the CDP, Certificate Authorities, KRA.


Then ran the following commands in a Elevated Commad Prompt:
"certutil -dcinfo deleteBad"
"gpupdate /force"


Domain Controller servers will need a reboot (as discussed)

Certificate errors are no longer being produced
0
 

Author Closing Comment

by:abpExpert
ID: 37859741
The solution provided resolved the situation.  Specifically there was not a CA available to use to revoke the certificates.  Carving the isntances out of AD worked. Event ID 6/13 are no longer showing up.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now