Questions

Event ID 13 Autoenrollment failed

Tags:
+
0 Votes
Locked

Event ID 13 Autoenrollment failed

otaku_lord
Here are the full errors:

Automatic certificate enrollment for local system failed to enroll for one Domain Controller Authentication certificate (0x800706ba). The RPC server is unavailable.

Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x800706ba). The RPC server is unavailable.

I have inherited these errors so I can only tell you what I have done so far.

1. The Domain Controllers/Admins/Computers have been added to CERTSVC_DCOM_ACCESS security group. Then ran following commands:
"certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG"
"net stop certsvc && net start certsvc"

2. CA (Certificate Authority) has been installed on the primary DC. At one point it was installed on a previous DC but that DC was rebuilt and no longer exits. I have removed all mention of that DC in AD (that I know of).

3. Domain Controllers/Admins/Computers have been added to Security group under PROPERTIES in the CA.

So far, nothing has worked. I am still getting the event on my primary DC. I am also receiving KDC warnings on several computers with a message stating basically that the certificates are no longer valid and when attempting to retrieve new ones the server couldn't be found or didn't respond.

I am open to any and all suggestions at this point. I appreciate any help you might suggest.
  • +
    0 Votes
    OH Smeg

    Can actually communicate with this server?

    It sounds as if they are not reaching the server to begin with.

    Col

    +
    0 Votes
    otaku_lord

    as this is the PDC for the domain. It resolves DNS correctly as well as reverse DNS. It also handles all Active Directory.

    +
    0 Votes
    otaku_lord

    that these errors are on the same machine as the PDC. The errors I am getting from the secondary DC are as follows:

    EVENT ID 20
    The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

    +
    0 Votes
    sigmapi71

    Are you sure time is syncronized? Set on the servers the same NTP, so they have the same time and the same NTP stratus.

  • +
    0 Votes
    OH Smeg

    Can actually communicate with this server?

    It sounds as if they are not reaching the server to begin with.

    Col

    +
    0 Votes
    otaku_lord

    as this is the PDC for the domain. It resolves DNS correctly as well as reverse DNS. It also handles all Active Directory.

    +
    0 Votes
    otaku_lord

    that these errors are on the same machine as the PDC. The errors I am getting from the secondary DC are as follows:

    EVENT ID 20
    The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

    +
    0 Votes
    sigmapi71

    Are you sure time is syncronized? Set on the servers the same NTP, so they have the same time and the same NTP stratus.