Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certificate error - Exchange server removes

Posted on 2012-04-03
5
Medium Priority
?
919 Views
Last Modified: 2012-06-22
I began to see recurring App log and Sys log error entries over the weekend on Server4 and Server5, both DCs.

The App log entries are:

6 CertificateServicesClient-AutoEnrollment, Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

13 CertificateServicesClient-CertEnroll, Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from mailsvr.mydomain.com\CA Server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).  

The Sys log entries are:

10009 DistributedCOM, DCOM was unable to communicate with the computer mailsvr.mydomain.com using any of the configured protocols.

The server mailsvr.mydomain.com was decommissioned when Exchange was updated. I suspect there is a old cert referencing mailsvr but I don't know enough about certs to locate and remove it, don't want to screw up Exchange.

Just need to know where to look and find the old cert.  then I just delete it?

Thanks.
0
Comment
Question by:abpExpert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 37801911
Look in one your group policies, you probably want to disable automatic enrollment.  See if automatic enrollment is enabled via GPO.
http://technet.microsoft.com/en-us/library/dd851772.aspx

The old CA object is probably still in AD within AD Sites and Services:  http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=22
0
 

Author Comment

by:abpExpert
ID: 37803131
Thanks.

How do I find the object/reference/certificate and remove it to get rid of the errors?  ADSIEDIT?
0
 

Author Comment

by:abpExpert
ID: 37811930
Follow up to question:
In doing research, the server was removed from the environment and carved out.  It was an exchange server and issued a a still valid certificate.  I see the certificates reference in Sites and Services in the Public Key folder.  

Question is how to remove the references in Active Directory without impacting the environment negatively.  The other 2003 Server in the environment  is unable to load certificate services and the Certificate Authority console cannot load and cannot not be retargeted to the non existent mailsvr.mydomain.com
0
 

Accepted Solution

by:
abpExpert earned 0 total points
ID: 37844550
In Active Directory Sites and Services, Switched the view to Services Mode, and navigated to the Services->Public Key Services->AIA.
As you can see the CA in question (CA Server) was still listed. This was a old CA on the svr.mydomain.COM server that has since been removed. Removed this instance as well as the other listings that were in the CDP, Certificate Authorities, KRA.


Then ran the following commands in a Elevated Commad Prompt:
"certutil -dcinfo deleteBad"
"gpupdate /force"


Domain Controller servers will need a reboot (as discussed)

Certificate errors are no longer being produced
0
 

Author Closing Comment

by:abpExpert
ID: 37859741
The solution provided resolved the situation.  Specifically there was not a CA available to use to revoke the certificates.  Carving the isntances out of AD worked. Event ID 6/13 are no longer showing up.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question