Solved

Certificate error - Exchange server removes

Posted on 2012-04-03
5
885 Views
Last Modified: 2012-06-22
I began to see recurring App log and Sys log error entries over the weekend on Server4 and Server5, both DCs.

The App log entries are:

6 CertificateServicesClient-AutoEnrollment, Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

13 CertificateServicesClient-CertEnroll, Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from mailsvr.mydomain.com\CA Server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).  

The Sys log entries are:

10009 DistributedCOM, DCOM was unable to communicate with the computer mailsvr.mydomain.com using any of the configured protocols.

The server mailsvr.mydomain.com was decommissioned when Exchange was updated. I suspect there is a old cert referencing mailsvr but I don't know enough about certs to locate and remove it, don't want to screw up Exchange.

Just need to know where to look and find the old cert.  then I just delete it?

Thanks.
0
Comment
Question by:abpExpert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 37801911
Look in one your group policies, you probably want to disable automatic enrollment.  See if automatic enrollment is enabled via GPO.
http://technet.microsoft.com/en-us/library/dd851772.aspx

The old CA object is probably still in AD within AD Sites and Services:  http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=22
0
 

Author Comment

by:abpExpert
ID: 37803131
Thanks.

How do I find the object/reference/certificate and remove it to get rid of the errors?  ADSIEDIT?
0
 

Author Comment

by:abpExpert
ID: 37811930
Follow up to question:
In doing research, the server was removed from the environment and carved out.  It was an exchange server and issued a a still valid certificate.  I see the certificates reference in Sites and Services in the Public Key folder.  

Question is how to remove the references in Active Directory without impacting the environment negatively.  The other 2003 Server in the environment  is unable to load certificate services and the Certificate Authority console cannot load and cannot not be retargeted to the non existent mailsvr.mydomain.com
0
 

Accepted Solution

by:
abpExpert earned 0 total points
ID: 37844550
In Active Directory Sites and Services, Switched the view to Services Mode, and navigated to the Services->Public Key Services->AIA.
As you can see the CA in question (CA Server) was still listed. This was a old CA on the svr.mydomain.COM server that has since been removed. Removed this instance as well as the other listings that were in the CDP, Certificate Authorities, KRA.


Then ran the following commands in a Elevated Commad Prompt:
"certutil -dcinfo deleteBad"
"gpupdate /force"


Domain Controller servers will need a reboot (as discussed)

Certificate errors are no longer being produced
0
 

Author Closing Comment

by:abpExpert
ID: 37859741
The solution provided resolved the situation.  Specifically there was not a CA available to use to revoke the certificates.  Carving the isntances out of AD worked. Event ID 6/13 are no longer showing up.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question