Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is a certificate enrollment?
I found that my Gigabit Ethernet Controller was causing the issue as described in ME239924.
I had this problem while using SAMBA as PDC. The only way I found out to get rid of these errors messages was by disabling certificates. To disable annoying Event Viewer notifications about "Automatic certificate enrollment for local system failed to contact the active directory" every eight hours, locate the Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies branch and select "Do not enroll certificates automatically" under Autoenrollment Settings. Note that this policy will not be available until after the XP machine has joined the domain.
In my case, a laptop crashed and needed to be reformatted. Due to the crash, we did not disjoin it from the domain. When reinstalling the software, it was named something different than its original name. I successfully joined it to the domain, but it did not show up in the Computers OU. I disjoined it from the domain, manually deleted the old computer account, and rejoined it to the domain. The laptop then showed up in the domain.
This particular event was discovered after a user was unable to log on to the domain from his computer. Various usernames were tried but the computer was just unable to connect to the domain. I used the local administrator account to disconnect from the domain and switch to a workgroup configuration (right click on My Computer -> Properties -> Computer Name). I restarted twice and then logged in again as the local administrator and re-connected to the domain. All was well from this point on.
We had this error on one XP Client at boot time when connecting to the domain. It was accompanied by Event ID 1053 (Userenv) and multiple Event ID 40961 (LSASRV). The solution was to correct the date which was one day ahead (the time was ok).
For additional information about certificate autoenrollment in Windows XP, follow the link to "Certificate Autoenrollment in Windows XP".
From a newsgroup post: Based on my research, the Event ID 15 indicates that the computer cannot locate the Active Directory and the event will be logged at 8-hour intervals in the Application event log. For more information about Event ID 15, please refer to ME310461.
Based on my experience, if the DNS settings on the client computer are set incorrectly, this issue will occur. I suggest you check the following:
1. Go to the properties page of your local connection.
2. Go to the TCP/IP settings and make sure that the DNS IP Address is your DC's IP address.
3. Please apply the steps in ME244474 on the Windows XP computer. Test to see if the problem disappeared.
1. Click Start -> Run, type msconfig and click OK.
2. Go to the Services tab and click Hide All Microsoft Services and then click Disable All.
3. Go to the Startup tab and click Disable All.
4. Go to the Gpedit.msc console. Go to Computer Configuration -> Administrative Templates -> System -> Logon.
5. Enable the policy entry "Always wait for the network at computer startup and logon".
6. Restart computer and test again.
This issue could occur when a certification authority (CA) certificate is renewed. If this is the case, please refer to ME270048 to resolve the problem. Test to see if the problem disappeared.
This issue could occur when the AutoEnrollment settings are turned on and there is no Active Directory to handle the request. To turn off AutoEnrollment on the local machine do the following:
1. Type gpedit.msc in the run line to open Group Policy Console.
2. Under Computer Configuration node, click Windows Settings.
3. Click on Public Key Policies.
4. Double-Click on the AutoEnrollment Settings in the right window.
5. Click on "Do not enroll certificates automatically" and click "OK".
From a newsgroup post: "Based on my research, when you install a CA, on a machine that is running Windows 2003, it should automatically create a group called CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of this group. I suspect that this was not happening and hence the auto enrollment was failing. At this point, I suggest you run the following command on the problematic Windows 2003 Server:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG.
After this stop and start the certsvr service by using the following commands:
net stop certsvc
net start certsvr
The steps above will create the group and then you can add the DCs as members of the group. If the group already exists, then simply add the DCs as members of the group".
See also ME822406, MSW2KDB, and Error code 0x8007054b for more details on this event.
In my case, CheckPoint SecuRemote client caused the problem. I had to uninstall and reinstall it to get rid of the error.
This problem seems to also be caused by personal firewall software, specifically if the firewall was installed and configured before joining the system to a domain. Zone Alarm caused this issue for me, but I imagine other personal firewalls that filter by application, executable and IP address will do the same. To fix this problem I uninstalled and reinstalled the firewall.
Check for duplicate MAC address on your network adapter. In my case I use SIS network adapters. New machines, DHCP assigned IP. They all got same IP because of the same MAC address, and domain logon failed. Adding computer to the domain also failed. Entering different MAC addresses solved the issue.
We had this error on a WinXP workstation that could no longer access domain resources. The fix was to set the DNS configuration so they pointed to a Win2k DNS (or one that supported DDNS). We had inadvertently set up the machine to point to a non-DDNS UNIX DNS. (Note: this had related events in the System log 10960 & 40961)
Run gpedit.msc to edit global policies, security settings, PKI settings, Auto Enrollment settings. Happens when no AD present. See ME310461
Elliott Fields Jr
This problem can occur because auto-enrollment objects store the hash of the certificate of the CA to identify the CA from which to enroll the specified certificate template. When the CA is renewed, the expiration date of the certificate is extended, which changes the certificate. The hash value of the new certificate does not match the value specified in the auto-enrollment object, which prevents the server or client from automatically enrolling for a new certificate. The fix is to delete and then recreate the Issued Auto-Enrollment object. For detailed instructions on how to resolve this issue see ME270048.
To fix this, Start -> Run -> mmc -> file -> add/remove snap-in-> add...-> certificates-> my user account-> finish
Now expand certificates->certificate enrollment request and uncheck "autoenrollment"
This is also caused when the AutoEnrollment settings are turned on and there is no Active Directory to handle the request. To turn off AutoEnrollment on the local machine:
1)Type in gpedit.msc and the run line.
2)Under computer Configuration, click on the plus next to Windows Settings.
3)Click on Public Key Policies
4)Double-Click on AutoEnrollment Settings in the right window.
5)Click on "Do not enroll certificates automatically" and click "ok"
I had this problem on WinXP pro when adding it to a domain, the solution for me was to remove F-Secure antivirus, after removing it, all it needed was a reboot and it worked fine.
I had this problem on 3x WinXp SP1 machines that just would not logon to the network. After checking DNS, WINS, DHCP releasing/renewing the problem persisted. The server was a very old SBS 4.0 SP3. I installed SP5, rebooted and everything came back up and the workstation successfully joined the domain.
|Private comment: Subscribers only. See example of private comment|
|Links: Certificate Autoenrollment in Windows XP|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated