Computer autoenrollment failing
Rich Raffenetti
I've been widening the coverage in our root domain which has 8000 user
accounts and probably 2000-3000 Windows computers, mostly XP.
Failures to issue certificates started accumulating in one area of our
network where there are ~200-300 computers. Not all of the computers in
that area fail to get certs but only some (~20). In another area of our
network with 1000 computers there are no failures. None of these are remote
and all are well connected. We have been scratching our heads for a long
while looking for inconsistencies between the computers getting certs and
those which are not. There is one newsgroup posting which seems the same
but the posted solution is not at all clearly explained.
We see the following event log message on the computer: "Automatic
certificate enrollment for local system failed to enroll for one Auto Enroll
Computer certificate (0x800725f2). DNS name does not exist." The message
on the Certificate Authority is the same.
We have pursued name inconsistencies and DNS differences as well as
reconnection to the domain. Does anyone know what is happening? Any ideas
would be appreciated?
Brian Komar
alternate name with the DNS name of the computer (as stored in AD). This
name is not there, so the enrollment fails.
Update the computer accounts with a DNS name
Brian
"Rich Raffenetti" <rich@raffenetti_takethisout.com> wrote in message
news:usiViP27...@TK2MSFTNGP05.phx.gbl...
Rich Raffenetti
Thanks. I think you are telling me that the computer in AD does not
have a value for "host DNS name" and therefore does not pass it along to the
CA in the cert request. I believe we have been pursuing viewing the
attributes of the computer and have not noticed any absences.
However, we may have missed something. Is the "host DNS name" the right
attribute? I found the way to dump the failed Binary Request. It appears
to me that the DNS name is ok.
Sometimes our DNS contains a name different from the name the computer
has for its DNS name. I have found this to not be an issue because many of
the computers successfully acquiring certs have this disparity. I can
explain what I have been seeing more fully if need be.
Would it be useful to post the text dump of the binary request? I would
have to modify the names to obscure our organization name.
Rich Raffenetti
"Brian Komar" <brian...@nospam.identit.ca> wrote in message
news:OACxoCE8...@TK2MSFTNGP02.phx.gbl...
Brian Komar
Brian
"Rich Raffenetti" <rich@raffenetti_takethisout.com> wrote in message
news:uBzJQWc8...@TK2MSFTNGP02.phx.gbl...
Rich Raffenetti
"Brian Komar" <brian...@nospam.identit.ca> wrote in message
news:uZ2xIIh...@TK2MSFTNGP02.phx.gbl...
Brian Komar
it. I will try and look at it during my flights this Fridaynews:O4m2vmy%23HHA...@TK2MSFTNGP03.phx.gbl...
ronviloria
ronviloria
Paul Adare
> Did you ever solve this problem. I am getting the same problem here.
What is the exact problem? You've provided absolutely no context here.
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
ronviloria
Certificate Services denied request 6678 because DNS name does not exist. 0x800725f2 (WIN32: 9714). The request was for xxxx\xxxx$. Additional information: Denied by Policy Module.
Pretty much the same message in the failed requests of the Certificate Authority.
On other computers the Autoenrollment and request for certificate works fine.
I have removed/added the problem computer from the domain with no difference.