Help and Support

Article ID: 310461 - Last Review: December 3, 2007 - Revision: 7.4

Problems occur when the Autoenrollment feature cannot reach an Active Directory domain controller

View products that this article applies to.
This article was previously published under Q310461
Expand all | Collapse all

SYMPTOMS

The following Event ID 15 error message entries are logged at 8-hour intervals in the application event log:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: date
Time: time
User: N/A
Computer: computer name
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
Back to the top

CAUSE

This problem may occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available. Therefore, the Autoenrollment feature cannot work. In an Active Directory domain that has Microsoft Windows 2000 or later domain controllers, the problem may be caused by a DNS name resolution or by network connectivity issue.
Back to the top

RESOLUTION

For a Microsoft Windows XP-based computer or a Microsoft Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to turn off the Autoenrollment feature in the Local Group Policy, follow these steps on the local workstation:
  1. Click Start, click Run, type gpedit.msc, and then press ENTER.
  2. In the left pane, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
  3. Double-click Autoenrollment Settings.
  4. Click Do not enroll certificates automatically.
  5. Click OK.
  6. Repeat steps 2 through 5, but in step 2, expand User Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
  7. Close the Group Policy window.
For a computer that is a member of a Windows 2000 or later Active Directory domain, make sure that the domain member has network connectivity with at least one domain controller.

After you have determined that you have good Internet Protocol (IP) connectivity between the member and a domain controller, correct the DNS address in the IP properties of the workstation. To do this, follow these steps:
  1. Start the Network Connections tool in Control Panel.
  2. Right-click Local Area Connection, and then click Properties.
  3. Click Internet Protocol (TCP/IP), and then click Properties.
  4. Type the correct DNS address in the Preferred DNS server box.
  5. Click OK.
Back to the top

MORE INFORMATION

For additional information about DNS configuration for Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
291382  (http://support.microsoft.com/kb/291382/ ) Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Back to the top
Keywords: 
kbevent kberrmsg kbprb KB310461
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations