?
Solved

Computer certificates enrolling multiple times

Posted on 2013-06-12
4
Medium Priority
?
836 Views
Last Modified: 2013-07-03
I am having an issue with a 2008 R2 Standard Enterprise CA where computer accounts are being issued multiple certificates. Auto-enrollment is configured via group policy. The template in use is "Copy of Workstation Authentication". "Publish certificate in Active Directory" and "Do not automatically reenroll if a duplicate certificate exists in Active Directory" are both enabled on the template. It is not a widespread issue but there are usually a few a day, but not for the same computer day after day.

It may not be at all related but the event application log for this CA server frequently has the following logged:

Event 77: Classic, CertificationAuthority

The "Windows default" Policy Module logged the following warning: The Active Directory connection to CASERVER.DOMAIN.COM has been reestablished to CASERVER.DOMAIN.COM.

Your assistance is greatly appreciated.
0
Comment
Question by:cberrymd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39270894
i have the same issue but i don't have that warning in my event logs
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39270970
my problem was that i had the Session Host Server authentication setting enabled and this causes the problem i.e. when a background refresh happens it generates a new certificate
0
 

Accepted Solution

by:
cberrymd earned 0 total points
ID: 39284614
Issue resolved by removing "Publish in DS" for workstation/computer/server templates and increasing server resources to improve performance. AD CS probably issued multiple certs due to poor connectivity with revocation information.
0
 

Author Closing Comment

by:cberrymd
ID: 39295998
No answers provided. EE community did not assist.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question