Hello Everyone,
we have a domain running in 2008R2 domain-mode. We have Root- and Intermediate CAs integrated into AD. The CA-Servers are Microsoft Servers. Our DCs need Certificates because we are using SmartCard-Logon.
We are currently replacing the "Domain Controller Authentication" certificates with "Kerberos Authentication" certifcates. Almost 100 DCs have automatically enrolled and obtained a new certificate and the old certificates where discarded. But strangely we have about 10 DCs where the automatic process fails. When these servers try to auto-enroll the following events are displayed in the application log:
CertificateServicesClient-CertEnroll Event 82
CertificateServicesClient-CertEnroll Event 13
CertificateServices-AutoEnrollment Event 6
These events indicate that the RPC-Server is unavailable. When we perform a manual enrollment from the mmc on these servers they obtain a certificate without a problem. Also, certutil -ping <CA-Server-Name> runs successfully.
I have searched the web and found documents stating that this is often a firewall issue but the firewalls are down between the DCs and the CA. I can't really imagine this being a permissions issue either, because the manual enrollment works fine. It looks almost as if there was some time-out in the automatic process that is longer or not present in the manual process.
Does anyone have an idea what the problem could be?
Thank you for your help & time!
Regards
HarryNew