Certificate authority issues

Matt
Matt used Ask the Experts™
on
Hi all,

6 sites 2003 domain (mixture of 2003, 2008 and 2012 domain.

I have recently started to upgrade our domain controllers to 2012 with the aim to bring it up to 2012 from the 2003 domain it is at the moment. I have started decommissioning the 2003 domain controllers and introducing 2012 Dc's. I have noticed that one of the 2003 DC's has the certificate authority role. But im not entirely sure what this is doing. my newly built 2012 dc's are all showing event error 6,13, and 82.

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {1D914179-C7A9-4935-AF96-F54648996835} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainController[

I have also had a few authentication issues recently where users have complained of account authentication issues.

Im not really familiar with the certificate authority role and how it works on the domain. Ive opened the snapin and I can see a lot of certificates in the pending folder (26 thousand) and only around 12 in the issued certificates.

It doesn't look to me like this is doing anything? although I am getting errors on my domain controllers.

Is this role required for the domain to function?

I want to decommsion this server as a DC so can this role be moved?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Abdul Khadja AlaoudineTechnical Consultant

Commented:
It looks to me auto-enrollment is enabled in Group Policy and Certificate Authority is not responding to auto-entrollment. See link (http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment) for information about Group Policy settings (mentioned at very begining of the article).

Check your Group Policies and identify the auto-entrollement settings first.

If you do not want your users / machines to auto enroll then remove auto entrollment settings in Group Policy. Think about why this was enabled in first place? Is there an application that might require user / machine certificates?

Then the question is do you want those issued certificates? If so, AD CS role must be installed on 2012 DC and settings migrated to it (if required, I can help you with that).

Author

Commented:
There is no settings in GP apart from the one pictured. I think historically the domain had GPO settings configured for CA but they are no longer in place as far as I can see.

If this is the case why is there still messages appearing? It doesn't look as though it has been working for a long time so I cant see that its needed for any application at all.
Abdul Khadja AlaoudineTechnical Consultant

Commented:
You said there are some issued certificates. Are they still valid? Do you need them? If not, you can safely ignore the auto-entrollment issue and demote the old DC.

Author

Commented:
Well the ones that are in there expired in 2012, so I assume they are redundant.
Technical Consultant
Commented:
As they are expired you can ignore them. Provided all other roles / services migrated to new DC the old DC can be demoted. Let me know if you need further information.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start Today