Certificate authority issues

Posted on 2014-09-23
Last Modified: 2014-10-09
Hi all,

6 sites 2003 domain (mixture of 2003, 2008 and 2012 domain.

I have recently started to upgrade our domain controllers to 2012 with the aim to bring it up to 2012 from the 2003 domain it is at the moment. I have started decommissioning the 2003 domain controllers and introducing 2012 Dc's. I have noticed that one of the 2003 DC's has the certificate authority role. But im not entirely sure what this is doing. my newly built 2012 dc's are all showing event error 6,13, and 82.

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {1D914179-C7A9-4935-AF96-F54648996835} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainController[

I have also had a few authentication issues recently where users have complained of account authentication issues.

Im not really familiar with the certificate authority role and how it works on the domain. Ive opened the snapin and I can see a lot of certificates in the pending folder (26 thousand) and only around 12 in the issued certificates.

It doesn't look to me like this is doing anything? although I am getting errors on my domain controllers.

Is this role required for the domain to function?

I want to decommsion this server as a DC so can this role be moved?
Question by:Matt
    LVL 5

    Expert Comment

    by:Abdul Khadja Alaoudine
    It looks to me auto-enrollment is enabled in Group Policy and Certificate Authority is not responding to auto-entrollment. See link ( for information about Group Policy settings (mentioned at very begining of the article).

    Check your Group Policies and identify the auto-entrollement settings first.

    If you do not want your users / machines to auto enroll then remove auto entrollment settings in Group Policy. Think about why this was enabled in first place? Is there an application that might require user / machine certificates?

    Then the question is do you want those issued certificates? If so, AD CS role must be installed on 2012 DC and settings migrated to it (if required, I can help you with that).

    Author Comment

    There is no settings in GP apart from the one pictured. I think historically the domain had GPO settings configured for CA but they are no longer in place as far as I can see.

    If this is the case why is there still messages appearing? It doesn't look as though it has been working for a long time so I cant see that its needed for any application at all.
    LVL 5

    Expert Comment

    by:Abdul Khadja Alaoudine
    You said there are some issued certificates. Are they still valid? Do you need them? If not, you can safely ignore the auto-entrollment issue and demote the old DC.

    Author Comment

    Well the ones that are in there expired in 2012, so I assume they are redundant.
    LVL 5

    Accepted Solution

    As they are expired you can ignore them. Provided all other roles / services migrated to new DC the old DC can be demoted. Let me know if you need further information.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Learn about cloud computing and its benefits for small business owners.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
    In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now