We help IT Professionals succeed at work.

Certificate authority issues

Last Modified: 2014-10-09
Hi all,

6 sites 2003 domain (mixture of 2003, 2008 and 2012 domain.

I have recently started to upgrade our domain controllers to 2012 with the aim to bring it up to 2012 from the 2003 domain it is at the moment. I have started decommissioning the 2003 domain controllers and introducing 2012 Dc's. I have noticed that one of the 2003 DC's has the certificate authority role. But im not entirely sure what this is doing. my newly built 2012 dc's are all showing event error 6,13, and 82.

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {1D914179-C7A9-4935-AF96-F54648996835} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainController[

I have also had a few authentication issues recently where users have complained of account authentication issues.

Im not really familiar with the certificate authority role and how it works on the domain. Ive opened the snapin and I can see a lot of certificates in the pending folder (26 thousand) and only around 12 in the issued certificates.

It doesn't look to me like this is doing anything? although I am getting errors on my domain controllers.

Is this role required for the domain to function?

I want to decommsion this server as a DC so can this role be moved?
Watch Question

Abdul Khadja AlaoudineTechnical Consultant

It looks to me auto-enrollment is enabled in Group Policy and Certificate Authority is not responding to auto-entrollment. See link (http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment) for information about Group Policy settings (mentioned at very begining of the article).

Check your Group Policies and identify the auto-entrollement settings first.

If you do not want your users / machines to auto enroll then remove auto entrollment settings in Group Policy. Think about why this was enabled in first place? Is there an application that might require user / machine certificates?

Then the question is do you want those issued certificates? If so, AD CS role must be installed on 2012 DC and settings migrated to it (if required, I can help you with that).


There is no settings in GP apart from the one pictured. I think historically the domain had GPO settings configured for CA but they are no longer in place as far as I can see.

If this is the case why is there still messages appearing? It doesn't look as though it has been working for a long time so I cant see that its needed for any application at all.
Abdul Khadja AlaoudineTechnical Consultant

You said there are some issued certificates. Are they still valid? Do you need them? If not, you can safely ignore the auto-entrollment issue and demote the old DC.


Well the ones that are in there expired in 2012, so I assume they are redundant.
Technical Consultant
This one is on us!
(Get your first solution completely free - no credit card required)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.