A Windows Server 2003-based domain controller may request multiple certificates every 8 hours

Article translations Article translations
Article ID: 950042 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario. You have a Windows Server 2003-based domain controller that hosts the certification authority (CA). Additionally, you enable automatic enrollment of certificates in the domain. In this scenario, the Windows Server 2003-based domain controller may request multiple certificates every 8 hours.

Additionally, an event that resembles the following may be logged in the Application log:

Event Type: Information
Event Source: AutoEnrollment
Event Category: None
Event ID: 19
Date: Date
Time: Time
User: N/A
Computer: Computer
Description:
Automatic certificate enrollment for local system successfully received one Directory Email Replication certificate from certificate authority Issuing CA1 on Computer.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

CAUSE

This problem occurs because you do not delete the previous certificate template correctly. Therefore, the previous certificate template still exists in the CA when you install the new certificate template. You cannot have duplicate certificate templates that have the same name. The duplicate certificate templates must have different names.

RESOLUTION

To resolve this problem, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Certification Authority.
  2. Right-click Certificate Template, and then click Manage.

    The certificate store opens, and you may see duplicate certificate templates that have the same name. For example, you may see the following records:
    Domain Controller Authentication
    Domain Controller Authentication
    Directory Email Replication
    Directory Email Replication	
    
  3. Click Start, click Run, type adsiedit.msc, and then click OK.

    Note The Active Directory Service Interfaces (ADSI) Edit tool is included in Microsoft Windows 2000 Support Tools and in Windows Server 2003 Support Tools.
  4. In the CN=Configuration container, locate the following container.
    CN=Certificate Templates,CN=Public Key services,CN=Services,CN=Configuration,DC=Contoso,DC=Com
  5. In the duplicate certificate template, locate the objects that have CNF in the object name.
  6. Delete the objects that have CNF in the object name.
  7. Exit the ADSI Edit tool.
  8. Click Start, point to Administrative Tools, and then click Certification Authority.
  9. Right-click Certificate Template, and then click Manage.

    You see only one record for each certificate template.
  10. Close the certificate store.
  11. In the Certification Authority console tree, right-click Revoked Certificates, point to All Tasks, and then click Publish.
  12. In the Publish CRL dialog box, click Delta CRL only to publish a new delta certificate revocation list (CRL), and then click OK.

Properties

Article ID: 950042 - Last Review: April 1, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
Keywords: 
kbexpertiseinter kbtshoot kbprb KB950042

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com