We have an event id 13, source AutoEnrollment, saying: -- Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800706ba). The RPC server is unavailable. -- We have a CA called e.g. Server2, for years now and this works fine. But when I start the Administrative Tools\Certification Authority and cleack Retarget CA, I can click browse and it comes up with this Server2 but also a very old machine Server1. This machine has been deleted years ago, but probably not in a neat way. When I look in the Directory Sites and Services, go to Services, Public Key Services, there are references to the old server in the folder AIA, CDP, Certification Authorities and Enrollment Services. Can I just deleted them, since this machine Server2 doesn't exist at all for years now. Thanks in advance, Olaf

look this: http://support.microsoft.com/kb/889250http://en-us.sysadmins.lv

Thanks, I have seen this article but this is more about decommisioning an existing server to a new server. We don't have the old server anymore and all certificates are registered long time ago on a new CA. But the strange thing is, that when I run on a DC the command certutil -tcainfo, it still displays the old server, and only(!) the old server and not the new one. It also says in there 'Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)' and it is offline. In the KB you mention, the steps 1-5 can not be done, since this server is not available anymore, for years now. If I cannot remove it or it is not safe, maybe you know how to get rid off the error eventid 13 I get on all my DC's: -- Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800706ba). The RPC server is unavailable. -- To solve this, on the new CA machine I already have added Domain Users and Domain Computers to the new CERTSVC_DCOM_ACCESS local group, stopped and start the Cert service, but this did not help. I think this has to do with the old and nonexisting CA server? By the way, when I only run certutil without flags, I see both my CA's, it has two entries, the old and the new one. I really would like to get rid off this old entry. Thanks again! Olaf

this is because your old CA was not correctly decomissioned. At least you need to remove old CA information from Enrollment Services container. Open PKIView.msc, right-click on root node and select Manage AD Containers. Go through all tabs and remove items related to old CA.http://en-us.sysadmins.lv

Thanks. I think the former system administrator did not do this the proper way, I was afraid of that. Since I don't know much about certificates; can it do any harm removing these old items? If someone or some device is still having a certificate related to the old certificate server, it wouldn't work anyway? In the tab NTAuthCertificates there are two certificates. Both of them have a CRL Distribution Points pointing to my old server. So if I remove them, there are none left. Can this be true? Thanks again! Olaf

1) if CA is dead and you still haven't received any certificate validation checking error, then it is safe to remove them. 2) NTAuthCertificates is a container for trusted authentication CA servers. This means tha any CA that is approved to issue logon certificates (and smart card logon too), CA certificate must be published to this container. Otherwise certificate-based authentication will fail. Since old CA is dead, feel free to remove it certificates.http://en-us.sysadmins.lv

Thanks, I will look into this. Before I delete something, I want to discuss this with a colleague next week too. I am kind of anxious to just delete certificate things. Is there some kind of disaster recovery thing for this, so I can rollback whenever things go wrong? Thanks again for your help! Olaf

some things you can re-publish, for example old CA certificate by running the following commands: certutil -dspublish -f oldcacert.cer RootCA certutil -dspublish -f oldcacert.cer NTAuthCA RootCA and NTAuthCA are keywords. Just replace file path. Again: if CA server no longer exist, decomission it.http://en-us.sysadmins.lv

Sorry, I did not have time to execute the steps described in this thread, but I have all the information to solve this now, I think. So, you may 'close' this thread.

This worked like a charm for me. Probably needless to say, but you need to run PKIView.msc on a remaining Certificate Authority server. From there, follow the steps he says and you can easily remove the obsolete certificate authority server.