locked
eventid 1 after DC install

    Question

  • Yesterday, I added a W2k8R2 DC to the parent domain of a W2k3sp2 native forest, replacing a W2k3sp2 DC that held the schema admin, PDCEmul & InfMaster roles.  There are 3 child domains.  There were no issues with adding the server, no errors at all.

    A few hours after I completed the install, I began to get the following event on member servers:

    Computer: [ServerA]
    Monitor: [Event Log Monitor]
    Description:
    * Event Time: 12 Jan 2010 01:07:02 AM
    * Source: AutoEnrollment
    * Event Log: Application
    * Type: Error Event
    * Event ID: 1
    * Automatic certificate enrollment for local system failed to download certificates for ROOT store from ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainA,DC=local?cACertificate?one?objectCategory=certificationAuthority (0x8007006e). The system cannot open the device or file specified.

    Most servers only report the event once or twice.  What is causing this?  I can find almost no info on the event.

    I do have a certficate server in the domain, but it is a member server and was not touched yesterday.

    This question may belong in the W2k3 forum, but since the problem only started after I added a W2k8 server, I thought I would start here.

    Thanks for any suggestions!

    Tuesday, January 12, 2010 1:26 PM

Answers

  • Hi Meetoo2,

    According to the error message, it seems that you member server can not download the certificates for ROOT store.

    Please verify whether you can use ldp.exe tool on the problematic member server to query the following information on new Windows 2008 R2 DC.

    ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainA,DC=local

    You can get the ldp.exe tool from Windows 2003 support tools:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

    Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Tuesday, January 19, 2010 4:58 AM
    Thursday, January 14, 2010 3:49 AM
  • Hi ,

    I agree with wilson. you have to check the domain based group policy ( both machine and user based ) .

    So i would like to confirm the certificate enrollment process. So AFAIK , the server should query the AD to download the appropriate certificates and then it places the certificate in the store ( local store ) . You have to check if the server has downloaded the certificates from the forest .

    If you have the relevant certificates at the store , then i would like to check for the permission ( a relevant ACE should be assigned to the certificate) . So its a simple process, the servers or clients will query the CA in your domain , and if multiple CA's are present , these clients will query every CA until the certificate is downloaded.

    To manually force a new download, delete the following registry key and all subordinate keys on all affected machines. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

    • Marked as answer by Wilson Jia Tuesday, January 19, 2010 4:58 AM
    Thursday, January 14, 2010 4:20 AM
    Moderator

All replies

  • Hi Meetoo2,

    This problem may occur if the Autoenrollment feature cannot reach an Active Directory domain controller.

    Please refer to KB 310461 steps to turn off the Autoenrollment feature on your Windows 2003 Server.

    http://support.microsoft.com/kb/310461

    Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, January 13, 2010 3:43 AM
  • I don't think I need to turn it off.  The problem is I never had any issues until I added the W2k8 R2 DC.  It seems like something changed with the W2k8 schema changes that is causing the problem.  I just have no idea what.

    Wednesday, January 13, 2010 8:59 PM
  • Hi Meetoo2,

    According to the error message, it seems that you member server can not download the certificates for ROOT store.

    Please verify whether you can use ldp.exe tool on the problematic member server to query the following information on new Windows 2008 R2 DC.

    ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainA,DC=local

    You can get the ldp.exe tool from Windows 2003 support tools:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

    Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Tuesday, January 19, 2010 4:58 AM
    Thursday, January 14, 2010 3:49 AM
  • Hi ,

    I agree with wilson. you have to check the domain based group policy ( both machine and user based ) .

    So i would like to confirm the certificate enrollment process. So AFAIK , the server should query the AD to download the appropriate certificates and then it places the certificate in the store ( local store ) . You have to check if the server has downloaded the certificates from the forest .

    If you have the relevant certificates at the store , then i would like to check for the permission ( a relevant ACE should be assigned to the certificate) . So its a simple process, the servers or clients will query the CA in your domain , and if multiple CA's are present , these clients will query every CA until the certificate is downloaded.

    To manually force a new download, delete the following registry key and all subordinate keys on all affected machines. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

    • Marked as answer by Wilson Jia Tuesday, January 19, 2010 4:58 AM
    Thursday, January 14, 2010 4:20 AM
    Moderator