asked on Automatic certificate enrollment for local system failed (0x800b0101)
Hello
One of clients has a very simple domain, with 2 x W2008 R2 Domain Controllers and an Exchange Server 2010 server.
For some reason the Exchange server is the Certification Authority and 2 of the certificates expired in December 2015.
The Domain Controller now gets;
- Event ID: 64 - Certificate for local system with Thumbprint xxxxxxxxxx is about to expire or already expired
- Event ID: 6 - Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
- Event ID: 13 - Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentica
and the same Event ID: 13 for a "DirectoryEmailReplication
It seems relatively simple, that the certs have expired and, as we can't renew, we have to create new ones, but I'm unsure how to go about this.
Any pointers would be appreciated.
Thanks in advance.
One of clients has a very simple domain, with 2 x W2008 R2 Domain Controllers and an Exchange Server 2010 server.
For some reason the Exchange server is the Certification Authority and 2 of the certificates expired in December 2015.
The Domain Controller now gets;
- Event ID: 64 - Certificate for local system with Thumbprint xxxxxxxxxx is about to expire or already expired
- Event ID: 6 - Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
- Event ID: 13 - Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentica
and the same Event ID: 13 for a "DirectoryEmailReplication
It seems relatively simple, that the certs have expired and, as we can't renew, we have to create new ones, but I'm unsure how to go about this.
Any pointers would be appreciated.
Thanks in advance.
Windows Server 2008Active DirectorySecuritySSL / HTTPS
Last Comment
tfinding
ASKER
Hi Hypercat
Many thanks for your comment. They are not Exchange but Domain certificates;
- Domain Controller Authentication
- Directory Email Replication
The reasoning for the mention of Exchange is because the CA is installed on the Exchange Server (not sure why).
The errors are on the Domain Controller.
Many thanks for your comment. They are not Exchange but Domain certificates;
- Domain Controller Authentication
- Directory Email Replication
The reasoning for the mention of Exchange is because the CA is installed on the Exchange Server (not sure why).
The errors are on the Domain Controller.
Have you rebooted the server recently? If not, try that first, since it may renew automatically when you restart.
Otherwise, you should be able to renew it using the Certificates snapin. I think you can do this from either server. Here's a basic article from TechNet with links for additional info:
https://technet.microsoft.com/en-us/library/cc730605.aspx
Otherwise, you should be able to renew it using the Certificates snapin. I think you can do this from either server. Here's a basic article from TechNet with links for additional info:
https://technet.microsoft.com/en-us/library/cc730605.aspx
ASKER
Hi - I think the problem lies with the fact that the 2 certificates have expired and they weren't renewed in time.
The certificates reside on the Domain Controller & not the CA. If I try to renew it on the DC, I get;
- "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid CA configured to issue certificates based on this template cannot be located or the CA does not support this operation, or the CA is not trusted"
If I try to request a new certificate (under Personal > Certificates) on the CA, I also get;
- "You cannot request a certificate at this time because no certificate types are available. If you need a certificate please contact your administrator."
I'm logged in as the Domain Admin in all cases. I gave Full Control for the Domain Admins on one of the Certificate Templates, but it's still not listed when I run this request.
I feel I need to find a comprehensive step by step document to start from the start.
The certificates reside on the Domain Controller & not the CA. If I try to renew it on the DC, I get;
- "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid CA configured to issue certificates based on this template cannot be located or the CA does not support this operation, or the CA is not trusted"
If I try to request a new certificate (under Personal > Certificates) on the CA, I also get;
- "You cannot request a certificate at this time because no certificate types are available. If you need a certificate please contact your administrator."
I'm logged in as the Domain Admin in all cases. I gave Full Control for the Domain Admins on one of the Certificate Templates, but it's still not listed when I run this request.
I feel I need to find a comprehensive step by step document to start from the start.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
These errors were resolved doing another task related to the Certification Authority (link supplied).
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html