Autoenrollment Error Event Id 1
Contents |
(עברית)المملكة العربية السعودية (العربية)ไทย (ไทย)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語) HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums Ask a question Quick access Forums home Browse forums users FAQ Search related threads Remove From My Forums Answered by: eventid 1 after DC install Windows Server autoenrollment event id 13 > Windows Server 2008 R2 General - Read Only Question 0 Sign in
Autoenrollment Event Id 15
to vote Yesterday, I added a W2k8R2 DC to the parent domain of a W2k3sp2 native forest, replacing a autoenrollment event id 6 W2k3sp2 DC that held the schema admin, PDCEmul & InfMaster roles. There are 3 child domains. There were no issues with adding the server, no errors at all. A few hours after certificateservicesclient autoenrollment event id 6 I completed the install, I began to get the following event on member servers: Computer: [ServerA]Monitor: [Event Log Monitor]Description: * Event Time: 12 Jan 2010 01:07:02 AM* Source: AutoEnrollment* Event Log: Application* Type: Error Event* Event ID: 1* Automatic certificate enrollment for local system failed to download certificates for ROOT store from ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainA,DC=local?cACertificate?one?objectCategory=certificationAuthority (0x8007006e). The system cannot open the device or
Certificateservicesclient Autoenrollment Event Id 64
file specified. Most servers only report the event once or twice. What is causing this? I can find almost no info on the event. I do have a certficate server in the domain, but it is a member server and was not touched yesterday. This question may belong in the W2k3 forum, but since the problem only started after I added a W2k8 server, I thought I would start here. Thanks for any suggestions! Tuesday, January 12, 2010 1:26 PM Answers 0 Sign in to vote Hi Meetoo2,According to the error message, it seems that you member server can not download the certificates for ROOT store.Please verify whether you can use ldp.exe tool on the problematic member server to query the followinginformation on new Windows 2008 R2 DC.ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainA,DC=localYou can get the ldp.exe tool from Windows 2003 support tools:http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=enRegards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights. Marked as answer by Wilson Jia Tuesday, January 19, 2010 4:58 AM Thursday, January 14, 2010 3:49 AM 0 Sign in to vote Hi ,I agree with wilson. you have to check the domain based group pol
additional information might be available elsewhere. Thank you for searching on this message; your search helps us identify those http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=13&EvtSrc=autoenrollment&LCID=1033/ areas for which we need to provide more information. If the product or version you are looking for is not listed, you can use this search box to search TechNet, the Microsoft Knowledge Base, and TechNet Blogs for more information. Enter the product name, event source, and event ID. For example: Vista Application Error 1001.
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about http://serverfault.com/questions/488228/certificate-error-on-server-2008-r2-event-id-6-and-13 Stack Overflow the company Business Learn more about hiring developers or posting ads with http://kb.kaminskiengineering.com/node/237 us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Certificate event id Error on Server 2008 R2 Event ID 6 and 13 up vote 1 down vote favorite I have two DC, one is a Windows Server 2003 (certificate server), the other is Windows Server 2008 R2. The Windows Server 2008 R2 has the following events in the event viewer. Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment Event ID: 6 Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable. And Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Event ID: autoenrollment event id 13 Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from 2003DCinternal.domain.com\DOMAIN-Root-CA.domain.com (The RPC server is unavailable. 0x800706ba (WIN32: 1722)). I've read a few things over the internet: Certificate enrollment for Local system failed to enroll Event ID:13 Seems to indicate that I should check if I already have a certificate installed. I open the Certificates MMC Snap-in on the 2008 R2 server having the errors and go to Personal > Certificates. From there I see a certificate for localhost issued by localhost (could that indicate a part of my problem?). I've also seen other stuff indicating that 2003 servers can not generate the correct certificates for 2003 or Windows 7 computers. Other than that Google doesn't really have any thing that solidly explains what the issue is. Could someone help me understand how to troubleshoot this? windows-server-2003 windows-server-2008-r2 ad-certificate-services share|improve this question asked Mar 15 '13 at 16:16 Nixphoe 3,63842144 Is there a firewall between the two machines? –Ryan Ries Mar 15 '13 at 16:32 @RyanRies There is not –Nixphoe Mar 15 '13 at 16:39 add a comment| 1 Answer 1 active oldest votes up vote 1 down vote You might find the following link useful as a troub
2003-based or Windows XP-based computer, you cannot obtain certificates from a Windows Server 2008-based certification authority (CA). This issue can occur if the CA is configured to use SHA2 256 encryption or higher encryption (SHA2 384 or SHA2 512) and the enrolling clients are legacy clients. See KB 968730 (Hotfix) Event id 80; Source Microsoft-Windows-CertificationAuthority on a windows 2008 certificate serverActive Directory Certificate Services could not publish a Certificate for request ##### to the following location on server DC.DOMAIN.COM: CN=user,OU=OU, DC=domain,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344). ldap: 0x32: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS) Check that the Cert Publishers group has permission to read and write to the userCertificate attribute on the user object in AD that is specified in the event. Enhanced Event Logging By default, autoenrollment logs errors/failures and successful enrollments in the Application event log on the client machine. To enable enhanced logging of the autoenrollment process to include warning and informational messages, the following registry values must be created. - SOFTWARE\Microsoft\Cryptography\AutoEnrollment AEEventLogLevel (Create a new DWORD value named "AEEventLogLevel", set value to 0.) NOTE: This value can be created under either HKLM or HKCU, depending on which context you need to troubleshoot. In this case I’d like us to set it on both. If you enable logging and don't see any events, check to see if Autoenrollment has been disabled: SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy If it’s set to 0x00008000 hex (32768 dec ) then it’s disabled (0x00008000==AUTO_ENROLLMENT_DISABLE_ALL). Again, this should be checked under HKLM or HKCU depending on the whether computer or user Autoenrollment is of interest. Permissions On the CA server: - Verify membership of the CERTSVC_DCOM_ACCESS group. If you have more issuing CA’s on member servers, this will need to be checked on all of them for the local groups. verify that the following groups are members: Domain Users and Domain Computers.If there are users or computers in other domains in the forest that also need to enroll against the CA, then those users and computers will also need to be added to the CERTSVC_DCOM_ACCESS group.If a CA has been installed on a DC in the domain then this group may be a Domain Local group instead. - Verify that CERTSVC_DCOM_ACCESS has been added to the DCOM Security Limits on the CA. a. Click on Start, then Programs, then Administrative Tools, the Component Services