Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A Windows Server 2003-based domain controller may request multiple certificates every 8 hours

A Windows Server 2003-based domain controller may request multiple certificates every 8 hours

View products that this article applies to.

Symptoms

Consider the following scenario. You have a Windows Server 2003-based domain controller that hosts the certification authority (CA). Additionally, you enable automatic enrollment of certificates in the domain. In this scenario, the Windows Server 2003-based domain controller may request multiple certificates every 8 hours.

Additionally, an event that resembles the following may be logged in the Application log:

Event Type: Information
Event Source: AutoEnrollment
Event Category: None
Event ID: 19
Date: Date
Time: Time
User: N/A
Computer: Computer
Description:
Automatic certificate enrollment for local system successfully received one Directory Email Replication certificate from certificate authority Issuing CA1 on Computer.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

↑ Back to the top

Cause

This problem occurs because you do not delete the previous certificate template correctly. Therefore, the previous certificate template still exists in the CA when you install the new certificate template. You cannot have duplicate certificate templates that have the same name. The duplicate certificate templates must have different names.

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Certification Authority.
  2. Right-click Certificate Template, and then click Manage.

    The certificate store opens, and you may see duplicate certificate templates that have the same name. For example, you may see the following records:
    Domain Controller Authentication
Domain Controller Authentication
Directory Email Replication
Directory Email Replication
  3. Click Start, click Run, type adsiedit.msc, and then click OK.

    Note The Active Directory Service Interfaces (ADSI) Edit tool is included in Microsoft Windows 2000 Support Tools and in Windows Server 2003 Support Tools.
  4. In the CN=Configuration container, locate the following container. 
    CN=Certificate Templates,CN=Public Key services,CN=Services,CN=Configuration,DC=Contoso,DC=Com
  5. In the duplicate certificate template, locate the objects that have CNF in the object name.
  6. Delete the objects that have CNF in the object name.
  7. Exit the ADSI Edit tool.
  8. Click Start, point to Administrative Tools, and then click Certification Authority.
  9. Right-click Certificate Template, and then click Manage.

    You see only one record for each certificate template.
  10. Close the certificate store.
  11. In the Certification Authority console tree, right-click Revoked Certificates, point to All Tasks, and then click Publish.
  12. In the Publish CRL dialog box, click Delta CRL only to publish a new delta certificate revocation list (CRL), and then click OK.

↑ Back to the top

Keywords: KB950042, kbprb, kbtshoot, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 950042
Revision : 1
Created on : 4/1/2008
Published on : 4/1/2008
Exists online : False
Views : 213