Solved

Domain Controller Certificate Authority Recovery

Posted on 2014-04-11
3
418 Views
Last Modified: 2014-06-11
I recently took over with a company and am working through various issues left by the previous sysadmin. The domain functional level is Windows Server 2008 R2. On the domain controllers I am getting this error in the event log every 6 hours or so.


Application Log Event ID 13
¿Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from PM-vDC-01.domainname.com\domainname-PM-VDC-01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).


I would like to clear this alert. How can I go about removing references to the machine pm-vdc-01 which no longer exists (it was decommissioned before I started so I have no history of the device). Would it be necessary to create a new CA for the domain and will there be any repercussions by removing the CA reference. Lastly would it be necessary to create a CA for the domain?
0
Comment
Question by:PM_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39994981
The event will not harm any thing

You can navigate to AD sites and services and from view   menu select "service node" which will enable you to view configured CA
Then you can view Public key services for any configured CA servers under services folder

Ensure that above CA is already removed from server

Its not mandatory to have a CA server, its optional and you can deploy one if wanted to

Just check all GPOs for any certificate Autoenrollment policy is set, if found one just remove that setting from policy

Also on Domain controller check local computer personnel certificate store and delete if you found any Domain controller certificate pointing to old certificate authority

Check below article to remove CA services completely from AD
Remove all Certification Services objects from Active Directory

If you installed new AD integrated enterprise CA server, it will again install domain controller certificate on DC

Mahesh
0
 
LVL 1

Author Comment

by:PM_IT
ID: 40064894
Mahesh thanks for the link. I've been busy and just getting back to this. Based on the article provided it seems I could skip to step 6. How would I handle certificate revocation since the CA is no longer available and would I need to remove any certificates from current machines that were issued by the original CA?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40065369
Yes you are right, you could directly jump to step 6
Since CA is already decommissioned \ removed from network, you can remove all old certificates issued by that CA on client computers and servers if wanted to
It will not create any problems if it remains in local certificate personnel store on client computers, however if you try to assign \ use those certificates to any services, then it will give you error
Because those certificates won't get CA revocation

You could deploy new AD integrated CA and enroll new certificates to all if required
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADMFILES.INI 7 57
Raising Forest Functional Level 2 44
Setting up two DCs 4 45
another domain controller shut down question 2 40
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question