• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 937
  • Last Modified:

Certificate error - Exchange server removes

I began to see recurring App log and Sys log error entries over the weekend on Server4 and Server5, both DCs.

The App log entries are:

6 CertificateServicesClient-AutoEnrollment, Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

13 CertificateServicesClient-CertEnroll, Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from mailsvr.mydomain.com\CA Server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).  

The Sys log entries are:

10009 DistributedCOM, DCOM was unable to communicate with the computer mailsvr.mydomain.com using any of the configured protocols.

The server mailsvr.mydomain.com was decommissioned when Exchange was updated. I suspect there is a old cert referencing mailsvr but I don't know enough about certs to locate and remove it, don't want to screw up Exchange.

Just need to know where to look and find the old cert.  then I just delete it?

Thanks.
0
abpExpert
Asked:
abpExpert
  • 4
1 Solution
 
Tony MassaCommented:
Look in one your group policies, you probably want to disable automatic enrollment.  See if automatic enrollment is enabled via GPO.
http://technet.microsoft.com/en-us/library/dd851772.aspx

The old CA object is probably still in AD within AD Sites and Services:  http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=22
0
 
abpExpertAuthor Commented:
Thanks.

How do I find the object/reference/certificate and remove it to get rid of the errors?  ADSIEDIT?
0
 
abpExpertAuthor Commented:
Follow up to question:
In doing research, the server was removed from the environment and carved out.  It was an exchange server and issued a a still valid certificate.  I see the certificates reference in Sites and Services in the Public Key folder.  

Question is how to remove the references in Active Directory without impacting the environment negatively.  The other 2003 Server in the environment  is unable to load certificate services and the Certificate Authority console cannot load and cannot not be retargeted to the non existent mailsvr.mydomain.com
0
 
abpExpertAuthor Commented:
In Active Directory Sites and Services, Switched the view to Services Mode, and navigated to the Services->Public Key Services->AIA.
As you can see the CA in question (CA Server) was still listed. This was a old CA on the svr.mydomain.COM server that has since been removed. Removed this instance as well as the other listings that were in the CDP, Certificate Authorities, KRA.


Then ran the following commands in a Elevated Commad Prompt:
"certutil -dcinfo deleteBad"
"gpupdate /force"


Domain Controller servers will need a reboot (as discussed)

Certificate errors are no longer being produced
0
 
abpExpertAuthor Commented:
The solution provided resolved the situation.  Specifically there was not a CA available to use to revoke the certificates.  Carving the isntances out of AD worked. Event ID 6/13 are no longer showing up.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now