none
Need help with Server 2012 R2 domain controller registry warnings, Source CertificateServicesClient-AutoEnrollment, Event ID 64 RRS feed

  • Question

  • I need help with a lot of registry warnings on my Server 2012 R2 domain controller, 3 per day, all the same, sample below. Can anyone help me resolve this issue?

    Registry entry sample:

    Log: Application
    Source: CertificateServicesClient-AutoEnrollment
    Event ID: 64
    Description: Certificate for local system with Thumbprint _____ is about to expire or already expired. (Thumbprint removed for security purposes.)
    Provider:
       [ Name]  Microsoft-Windows-CertificateServicesClient-AutoEnrollment 
       [ Guid]  {F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43} 
       [ EventSourceName]  AutoEnrollment 

    I started scanning my cert store for likely certs w/o success, then resorted to a full powershell dump to a text file and still couldn't find a cert with a matching thumbprint. My powershell script is:

    cd CERT:\\
    ls . -Recurse

    I got nearly 1300 lines of output (i.e. zillions of certs), but the thumbprint in the registry warning is not listed.



    Sunday, January 6, 2019 12:30 AM

All replies

  • I'd suggest reaching out to experts over here in security forum.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

     

     




    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, January 6, 2019 12:51 AM
  • Thx, I'll give that a try as well.
    Sunday, January 6, 2019 4:36 AM
  • Hi,

     

    According to your description, you could refer to this link:

    https://www.myeventlog.com/search/show/795

     

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

     

    Hope these are helpful.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 7, 2019 3:24 AM
    Moderator
  • Hi, I was actually following those instructions (looking for the cert with the matching thumbprint) and found that the cert isn't listed using MMC. This led me to using powershell to list ALL certs on the server and, indeed, the thumbprint was listed in the gazillion certs dumped to a text file. The server is my domain controller and only server on my network, though I have a dozen Win7/8 workstations and a handful of network appliances. The event log entry looks like the server itself is failing to renew its own cert, which doesn't make sense unless it's trying to renew some cert with Microsoft. (But then, what cert since it can't be found?)

    I figure, if someone at Microsoft can't help me find the cert, there's no way I'll ever find it on my own. :(

    Tuesday, January 8, 2019 5:07 AM
  • A week and still nobody can figure out what appears to be a bogus error?
    Saturday, January 12, 2019 9:54 PM
  • What amazing support.
    Tuesday, January 22, 2019 3:51 AM
  • What amazing support.

    These forums are largely peer support by other users like yourself who are giving their time freely. Its more likely no one reading knows. If you needed immediate support your best option is to start a support case here.

    https://support.microsoft.com/en-us/gp/contactus81?forceorigin=esmc&audience=commercial&wa=wsignin1.0

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, January 22, 2019 3:59 AM
  • I have the same issue. In the list of own certifcates of my domain controller (Server 2012R2) are three entries, two of them are valid: 

    • for the CA: "domainname-myserver-CA"
    • for the domaincontroller: "myserver.domainname"

    One certificate will be invalid in two months:

    • obviously for the domaincontroller itself, but without FQDN: "myserver"

    I don't know why there exist a certificate without the full qualified domain name, just with the server name itself. From the beginning the server was a domain controller because it's a Windows Essential Server 2012R2. 

    Another server in the domain has also a certificate which will be invalid in two months.

    Don't know if this will have consquences for some functionality inside the domain. Would be nice if anybody has a hint.

    Thorsten

    Monday, July 22, 2019 11:45 AM