Windows Server 2008 CAs and Server 2003 DCs – are you seeing event ID 13 popping up every eight hours?
Be careful when implementing a Windows 2008 based Certificate Authority in a mixed 2003R2 and 2008(R2) environment. By default, the installation of the ADCS Role on a 2008 Server selects SHA2 type algorithms which are not quite compatible with Server 2003R2 SP2 or XP SP3.
You will need a hotfix.
While waiting for a new hardware setup I decided to jump the gun and upgrade my old 2003CA to 2008 in advance – a pretty straightforward process of decommissioning and deploying a new CA on a fresh 2008 install. Both my Home Theatre setup and laptop are running Vista or 7, and there’s a virtualized Core 2008 Domain Controller as well. No problems there.
However, there is still one slight snag as I’m still using a 2003 machine as second physical DC (which hosts my DFS namespace and I haven’t gotten around to upgrading that one).
After a couple of days, that machine started spewing Event ID 13 errors every eight hours in the Application log:
Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 13 Date: 28-2-2011 Time: 18:14:37 User: N/A Computer: MYDC Description: Automatic certificate enrollment for local system failed to enroll for one Domain Controller Authentication certificate (0x80092009). Cannot find the requested object. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Secure Channel for LDAP over SSL also breaks because of this, so you’ll see those warnings as well.
A quick look in the ADCS Snapin confirmed both the Directory Email Replication and Domain Controller Authentication certificates were trying to autoenroll but failing every 8 hours.
A search for "cannot find the requested object" quickly resolved that, pointing the way to http://support.microsoft.com/kb/968730.
After requesting the hotfix and rebooting, AutoEnroll properly processes the request again, and SSL enabled LDAP connections are restored.
More information is also available on the Windows PKI Technet Blog: http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx
