[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 981
  • Last Modified:

Certificate authority issues

Hi all,

6 sites 2003 domain (mixture of 2003, 2008 and 2012 domain.

I have recently started to upgrade our domain controllers to 2012 with the aim to bring it up to 2012 from the 2003 domain it is at the moment. I have started decommissioning the 2003 domain controllers and introducing 2012 Dc's. I have noticed that one of the 2003 DC's has the certificate authority role. But im not entirely sure what this is doing. my newly built 2012 dc's are all showing event error 6,13, and 82.

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {1D914179-C7A9-4935-AF96-F54648996835} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainController[

I have also had a few authentication issues recently where users have complained of account authentication issues.

Im not really familiar with the certificate authority role and how it works on the domain. Ive opened the snapin and I can see a lot of certificates in the pending folder (26 thousand) and only around 12 in the issued certificates.

It doesn't look to me like this is doing anything? although I am getting errors on my domain controllers.

Is this role required for the domain to function?

I want to decommsion this server as a DC so can this role be moved?
0
Matt
Asked:
Matt
  • 3
  • 2
1 Solution
 
Abdul Khadja AlaoudineCommented:
It looks to me auto-enrollment is enabled in Group Policy and Certificate Authority is not responding to auto-entrollment. See link (http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment) for information about Group Policy settings (mentioned at very begining of the article).

Check your Group Policies and identify the auto-entrollement settings first.

If you do not want your users / machines to auto enroll then remove auto entrollment settings in Group Policy. Think about why this was enabled in first place? Is there an application that might require user / machine certificates?

Then the question is do you want those issued certificates? If so, AD CS role must be installed on 2012 DC and settings migrated to it (if required, I can help you with that).
0
 
MattAuthor Commented:
There is no settings in GP apart from the one pictured. I think historically the domain had GPO settings configured for CA but they are no longer in place as far as I can see.

If this is the case why is there still messages appearing? It doesn't look as though it has been working for a long time so I cant see that its needed for any application at all.
0
 
Abdul Khadja AlaoudineCommented:
You said there are some issued certificates. Are they still valid? Do you need them? If not, you can safely ignore the auto-entrollment issue and demote the old DC.
0
 
MattAuthor Commented:
Well the ones that are in there expired in 2012, so I assume they are redundant.
0
 
Abdul Khadja AlaoudineCommented:
As they are expired you can ignore them. Provided all other roles / services migrated to new DC the old DC can be demoted. Let me know if you need further information.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now