Active Directory Certificate Enrollment Error

3

I'm seeing this error in my Active Directory log. The error is on my primary dc which is an SBS 2008 box. The computer performing the request is my secondary dc running server 2008 r2.

Active Directory Certificate Services could not process request ## due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437). The request was for domain\server2008r2$.

I have these errors in the r2 servers logs:

Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Certificate for local system with Thumbprint ###################### is about to expire or already expired.

How can I resolve these?

Edit: Just wanted to add that the CA snap-in reports that the request failed due to a parsing error.

Edit 2: In my primary domain controller (the sbs 2008 server) it looks like the root cert has expired. Ive tried both renewing and requesting a new one, but it says no templates are valid.

active-directory
windows-server-2008-r2
windows-sbs-2008
asked on Server Fault May 21, 2014 by Andy • edited May 23, 2014 by Andy

2 Answers

3

This typically caused by the Certificate Authority for your domain's Active Directory Certificate Services being unavailable. Try looking into why your Domain Controller cannot participate in auto-enrollment.

answered on Server Fault May 21, 2014 by (unknown user)
1

I've figured this out. As indicated in my edits, the root cause was the root certificate in my pdc had expired.

The fix was to open the Certificate Authority snap in and right click on the server in the tree on the left and go to All Tasks and at the bottom select Renew CA Certification.

This gave me a dialog but when I clicked OK I had an error saying it couldn't create the certification, permission denied and Object already existed.

I found that if I stopped ADCS and then went to ProgramData\Microsoft\Crypto\RSA\MachineKeys and sorted them by date, so the most recent was at the top. I opened it with Notepad and I recognized that the name of the object I was being told existed.

I moved the file to the desktop and restarted ADCS and retried renewing the CA cert. It worked this time.

I verified this also fixed the issue on other backup DC by successfully doing a gpupdate /force and saw none of the errors I was getting.

answered on Server Fault May 24, 2014 by Andy • edited Feb 11, 2020 by mwfearnley

User contributions licensed under CC BY-SA 3.0