Solved

Certificate error - Exchange server removes

Posted on 2012-04-03
5
866 Views
Last Modified: 2012-06-22
I began to see recurring App log and Sys log error entries over the weekend on Server4 and Server5, both DCs.

The App log entries are:

6 CertificateServicesClient-AutoEnrollment, Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

13 CertificateServicesClient-CertEnroll, Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from mailsvr.mydomain.com\CA Server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).  

The Sys log entries are:

10009 DistributedCOM, DCOM was unable to communicate with the computer mailsvr.mydomain.com using any of the configured protocols.

The server mailsvr.mydomain.com was decommissioned when Exchange was updated. I suspect there is a old cert referencing mailsvr but I don't know enough about certs to locate and remove it, don't want to screw up Exchange.

Just need to know where to look and find the old cert.  then I just delete it?

Thanks.
0
Comment
Question by:abpExpert
  • 4
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 37801911
Look in one your group policies, you probably want to disable automatic enrollment.  See if automatic enrollment is enabled via GPO.
http://technet.microsoft.com/en-us/library/dd851772.aspx

The old CA object is probably still in AD within AD Sites and Services:  http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=22
0
 

Author Comment

by:abpExpert
ID: 37803131
Thanks.

How do I find the object/reference/certificate and remove it to get rid of the errors?  ADSIEDIT?
0
 

Author Comment

by:abpExpert
ID: 37811930
Follow up to question:
In doing research, the server was removed from the environment and carved out.  It was an exchange server and issued a a still valid certificate.  I see the certificates reference in Sites and Services in the Public Key folder.  

Question is how to remove the references in Active Directory without impacting the environment negatively.  The other 2003 Server in the environment  is unable to load certificate services and the Certificate Authority console cannot load and cannot not be retargeted to the non existent mailsvr.mydomain.com
0
 

Accepted Solution

by:
abpExpert earned 0 total points
ID: 37844550
In Active Directory Sites and Services, Switched the view to Services Mode, and navigated to the Services->Public Key Services->AIA.
As you can see the CA in question (CA Server) was still listed. This was a old CA on the svr.mydomain.COM server that has since been removed. Removed this instance as well as the other listings that were in the CDP, Certificate Authorities, KRA.


Then ran the following commands in a Elevated Commad Prompt:
"certutil -dcinfo deleteBad"
"gpupdate /force"


Domain Controller servers will need a reboot (as discussed)

Certificate errors are no longer being produced
0
 

Author Closing Comment

by:abpExpert
ID: 37859741
The solution provided resolved the situation.  Specifically there was not a CA available to use to revoke the certificates.  Carving the isntances out of AD worked. Event ID 6/13 are no longer showing up.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
how to add IIS SMTP to handle application/Scanner relays into office 365.

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now