I am working on removing the Enterprise CA from our domain as it was not required and we are upgrading to Windows 2008 R2 shortly. I followed the Microsoft article for decommissioning the Enterprise CA (http://support.microsoft.com/kb/889250). I have only completed up to step 6 at the moment i.e. revoke certificates, publish new CRL and uninstall certificate authority services off the DC hosting it. I have not yet removed entries from AD as I am being over cautious. Checking our domain controllers this morning, I noticed that they each have AutoEnrollment errors listed in the application log. The DC which hosted CA has the following. The other DCs have the same issue but with Access Denied as the error. Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 13 Date: 1/11/2011 Time: 3:44:37 AM User: N/A Computer: TSRADC01 Description: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80040154). Class not registered For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

It is probably about AD replication, the events should stop after AD has finished replicating the changes you have initiated by uninstalling the ADCS service. /Hasain

Thanks for the suggestion Hasain. Unfortunately, it is now a bout 24 hours after I made the changes and the autoenrollment error is still popping up occasional in the event log on the DC's.

To make sure the uninstall has remove the necessary objects, please check the Enrollment Services object (using adsiedit.msc) under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN You should not have any objects left if all enterprise CAs has been removed/uninstalled /Hasain

There are two objects in there strangely enough given that I only decommissioned one CA. There is a chance that a prior sysadmin installed a CA prior and just removed the server. How does the autoenrollment process get triggered for a DC, is it just checking an object in AD to see if it exists?

Autoenrollment is enabled when certificate services client autoenrollment is enabled and there certificate are templates with enroll and autoenroll permissions. After locating a template with read+enroll+autoenroll the client enumerates the enrollment services objects looking for an enterprise ca that has the desired template in it template list to send a certificate request to it. You need to delete all enrollment services objects that are not representing an active enterprise CA to avoid errors related to certificate enrollment autoenrollment. Certificate Autoenrollment is a result of: Configure Certificate Autoenrollment for computers and users via GPO: http://technet.microsoft.com/en-us/library/cc731522.aspx Enable Certificate Autoenrollment on specific v2/v3 certificate templates: http://technet.microsoft.com/en-us/library/cc770546.aspx /Hasain

Thanks again Hasain. Sorry, I am not overly knowledgeable around CA. I inherited this config and am only decommissioning as it is standing in the way of our Windows 2008 R2 AD migration. So just to clarify, if I perform the following CA AD cleanup (as per KB555151) for both the listed CA's (the one I decomissioned and the previous entry) the errors on the DC's will cease? Expand the "Services", and then expand "Public Key Services" Select the "AIA" node In the right-hand pane, locate the "certificateAuthority" object for your Certification Authority. Delete both the CA objects Select the "CDP" node. In the right-hand pane, locate the Container object for both the servers where Certification Services is installed. Delete the container and the objects it contains. Select the "Certification Authorities" node. In the right-hand pane, locate the "certificateAuthority" object for your Certification Authority. Delete both the CA objects. Select the "Enrollment Services" node. In the right-hand pane, verify that the "pKIEnrollmentService" object for both the CAs,delete them both

You only need to perform step 8-9 to for the old/decommissioned CAs to stop autoenrollment activities related to that. Steps 2-7 can be performed if you do not have any active certificates issued by the decommissioned CAs in your environment. /Hasain

Autoenrollment is enabled when certificate services client autoenrollment is enabled and there certificate are templates with enroll and autoenroll permissions. After locating a template with read+enroll+autoenroll the client enumerates the enrollment services objects looking for an enterprise ca that has the desired template in it template list to send a certificate request to it. You need to delete all enrollment services objects that are not representing an active enterprise CA to avoid errors related to certificate enrollment autoenrollment. Certificate Autoenrollment is a result of: Configure Certificate Autoenrollment for computers and users via GPO: http://technet.microsoft.com/en-us/library/cc731522.aspx Enable Certificate Autoenrollment on specific v2/v3 certificate templates: http://technet.microsoft.com/en-us/library/cc770546.aspx /Hasain

You only need to perform step 8-9 to for the old/decommissioned CAs to stop autoenrollment activities related to that. Steps 2-7 can be performed if you do not have any active certificates issued by the decommissioned CAs in your environment. /Hasain

Thanks Hasain. Removed the rogue entry from the PKIEnrolmentServices node and the errors stopped.