Multiple Windows servers didnt update the internal root CA from the AD

Question

Hello

Today we found out that some of the servers in our deployment have not renewed their computer certificates. After a few minutes of digging thru the event logs we found out that the root cause is that they also have not updated our internal root CA from AD.
CA root is domain joined and we currently cannot see a common link in the servers that havent updated the root CA cert.

Question of the day is.. where exactly to look for more information where and how this failed?
In Event logs Certificate services client, system etc we can only see the last auto enrollment event and nothing related to the ROOT CA not being updated/downloaded from the AD.
Some of Servers that have and those don't have the root CA cert are in the same OU - so we assume this has nothing to do with the GPOs.

Any ideas how to even properly start troubleshooting this?
Servers were rebooted/gpupdate /force ran... no change.

Thanks

Answer 1

Hi

I'd start by making sure your Domain Controllers health and replication are 100% using dcdiag / repadmin tools.

Hope this helps,

Thanks

Michael Durkan

• If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

Answer 2

Hi

Well.. that does make sense but as far as I can see this is not affecting us.

The site these servers are in has 3 DCs and dcdiag and readmin show no real issues (there are some recurring smaller errors but should not be related to this).

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = XXX-DC01
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: <site>\XXX-DC01
Starting test: Connectivity
......................... XXX-DC01 passed test Connectivity

Doing primary tests

Testing server: <site>\XXX-DC01
Starting test: Advertising
......................... XXX-DC01 passed test Advertising
Starting test: FrsEvent
......................... XXX-DC01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may caus
Group Policy problems.
......................... XXX-DC01 passed test DFSREvent
Starting test: SysVolCheck
......................... XXX-DC01 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:21:33
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:21:33
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:23:03
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:23:33
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:27:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:28:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:29:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:29:34
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:29:34
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:31:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:31:34
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:32:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:34:34
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:35:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:35:04
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:35:34
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:35:34
Event String: Internal event: An LDAP client connection was closed because of an error.
A warning event occurred. EventID: 0x800004C0
Time Generated: 12/28/2022 14:36:04
Event String: Internal event: An LDAP client connection was closed because of an error.
......................... XXX-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... XXX-DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Warning: Attribute userAccountControl of XXX-DC01 is: 0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
This may be affecting replication?
......................... XXX-DC01 passed test MachineAccount
Starting test: NCSecDesc
......................... XXX-DC01 passed test NCSecDesc
Starting test: NetLogons
......................... XXX-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... XXX-DC01 passed test ObjectsReplicated
Starting test: Replications
......................... XXX-DC01 passed test Replications
Starting test: RidManager
......................... XXX-DC01 passed test RidManager
Starting test: Services
......................... XXX-DC01 passed test Services
Starting test: SystemLog
......................... XXX-DC01 passed test SystemLog
Starting test: VerifyReferences
......................... XXX-DC01 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : gopa-int
Starting test: CheckSDRefDom
......................... gopa-int passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... gopa-int passed test CrossRefValidation

Running enterprise tests on : gopa-int.gopa.de
Starting test: LocatorCheck
......................... gopa-int.gopa.de passed test LocatorCheck
Starting test: Intersite
......................... gopa-int.gopa.de passed test Intersite

Replication Summary Start Time: 2022-12-28 14:42:06

Beginning data collection for replication summary, this may take awhile:
.............

Source DSA largest delta fails/total %% error
xxx-DC01 06m:06s 0 / 5 0
xxx-DC01 06m:09s 0 / 5 0
xxx-DC01 01m:29s 0 / 5 0
xxx-DC01 01m:28s 0 / 5 0
xxx-DC01 06m:07s 0 / 5 0
xxx-DC01 51m:09s 0 / 10 0
xxx-DC01 01m:29s 0 / 5 0
xxx-DC01 01m:29s 0 / 5 0
xxx-DC01 50m:49s 0 / 25 0
xxx-DC02 51m:09s 0 / 30 0

Destination DSA largest delta fails/total %% error
xxx-DC01 03m:04s 0 / 5 0
xxx-DC01 12m:29s 0 / 5 0
xxx-DC01 11m:53s 0 / 5 0
xxx-DC01 10m:21s 0 / 5 0
xxx-DC01 09m:53s 0 / 5 0
xxx-DC01 50m:54s 0 / 10 0
xxx-DC01 10m:46s 0 / 5 0
xxx-DC01 11m:03s 0 / 5 0
xxx-DC01 51m:09s 0 / 25 0
xxx-DC02 46m:32s 0 / 30 0

C:\Windows\system32>repadmin /queue

Repadmin: running command /queue against full DC localhost
Queue contains 0 items.

Strange enough the servers that were affected are our remote session hosts which have a few additional services disabled and a few software restrictions put in place for domain users but nothing too special (disabling powershell_ise, system center notifications, shutdown.exe). Out of cca 25 servers that are in the same root OU (with a few branching out just for desktop background and one or two user oriented GPOs) only 10 were affected.