Certificate authority issues

Hi all,

6 sites 2003 domain (mixture of 2003, 2008 and 2012 domain.

I have recently started to upgrade our domain controllers to 2012 with the aim to bring it up to 2012 from the 2003 domain it is at the moment. I have started decommissioning the 2003 domain controllers and introducing 2012 Dc's. I have noticed that one of the 2003 DC's has the certificate authority role. But im not entirely sure what this is doing. my newly built 2012 dc's are all showing event error 6,13, and 82.

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {1D914179-C7A9-4935-AF96-F54648996835} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainController[

I have also had a few authentication issues recently where users have complained of account authentication issues.

Im not really familiar with the certificate authority role and how it works on the domain. Ive opened the snapin and I can see a lot of certificates in the pending folder (26 thousand) and only around 12 in the issued certificates.

It doesn't look to me like this is doing anything? although I am getting errors on my domain controllers.

Is this role required for the domain to function?

I want to decommsion this server as a DC so can this role be moved?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Abdul Khadja AlaoudineCommented:
It looks to me auto-enrollment is enabled in Group Policy and Certificate Authority is not responding to auto-entrollment. See link (http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment) for information about Group Policy settings (mentioned at very begining of the article).

Check your Group Policies and identify the auto-entrollement settings first.

If you do not want your users / machines to auto enroll then remove auto entrollment settings in Group Policy. Think about why this was enabled in first place? Is there an application that might require user / machine certificates?

Then the question is do you want those issued certificates? If so, AD CS role must be installed on 2012 DC and settings migrated to it (if required, I can help you with that).
MattAuthor Commented:
There is no settings in GP apart from the one pictured. I think historically the domain had GPO settings configured for CA but they are no longer in place as far as I can see.

If this is the case why is there still messages appearing? It doesn't look as though it has been working for a long time so I cant see that its needed for any application at all.
Abdul Khadja AlaoudineCommented:
You said there are some issued certificates. Are they still valid? Do you need them? If not, you can safely ignore the auto-entrollment issue and demote the old DC.
MattAuthor Commented:
Well the ones that are in there expired in 2012, so I assume they are redundant.
Abdul Khadja AlaoudineCommented:
As they are expired you can ignore them. Provided all other roles / services migrated to new DC the old DC can be demoted. Let me know if you need further information.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.