A Windows Server 2003-based domain controller may request multiple certificates every 8 hours

Consider the following scenario. You have a Windows Server 2003-based domain controller that hosts the certification authority (CA). Additionally, you enable automatic enrollment of certificates in the domain. In this scenario, the Windows Server 2003-based domain controller may request multiple certificates every 8 hours.

Additionally, an event that resembles the following may be logged in the Application log:

Event Type: Information
Event Source: AutoEnrollment
Event Category: None
Event ID: 19
Date: Date
Time: Time
User: N/A
Computer: Computer
Description:
Automatic certificate enrollment for local system successfully received one Directory Email Replication certificate from certificate authority Issuing CA1 on Computer.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This problem occurs because you do not delete the previous certificate template correctly. Therefore, the previous certificate template still exists in the CA when you install the new certificate template. You cannot have duplicate certificate templates that have the same name. The duplicate certificate templates must have different names.

To resolve this problem, follow these steps:

1. Click Start, point to Administrative Tools, and then click Certification Authority.
2. Right-click Certificate Template, and then click Manage.
   
   The certificate store opens, and you may see duplicate certificate templates that have the same name. For example, you may see the following records:

   Domain Controller Authentication
   Domain Controller Authentication
   Directory Email Replication
   Directory Email Replication	
   

3. Click Start, click Run, type adsiedit.msc, and then click OK.
   
   Note The Active Directory Service Interfaces (ADSI) Edit tool is included in Microsoft Windows 2000 Support Tools and in Windows Server 2003 Support Tools.
4. In the CN=Configuration container, locate the following container.

   CN=Certificate Templates,CN=Public Key services,CN=Services,CN=Configuration,DC=Contoso,DC=Com

5. In the duplicate certificate template, locate the objects that have CNF in the object name.
6. Delete the objects that have CNF in the object name.
7. Exit the ADSI Edit tool.
8. Click Start, point to Administrative Tools, and then click Certification Authority.
9. Right-click Certificate Template, and then click Manage.
   
   You see only one record for each certificate template.
10. Close the certificate store.
11. In the Certification Authority console tree, right-click Revoked Certificates, point to All Tasks, and then click Publish.
12. In the Publish CRL dialog box, click Delta CRL only to publish a new delta certificate revocation list (CRL), and then click OK.