Microsoft KB Archive/310461

= Problems occur when the Autoenrollment feature cannot reach an Active Directory domain controller =

Article ID: 310461

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q310461



SYMPTOMS
The following Event ID 15 error message entries are logged at 8-hour intervals in the application event log:

Event Type: Error

Event Source: AutoEnrollment

Event Category: None

Event ID: 15

Date: date

Time: time

User: N/A

Computer: computer name

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.



CAUSE
This problem may occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available. Therefore, the Autoenrollment feature cannot work. In an Active Directory domain that has Microsoft Windows 2000 or later domain controllers, the problem may be caused by a DNS name resolution or by network connectivity issue.



RESOLUTION
For a Microsoft Windows XP-based computer or a Microsoft Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to turn off the Autoenrollment feature in the Local Group Policy, follow these steps on the local workstation:
 * 1) Click Start, click Run, type gpedit.msc, and then press ENTER.
 * 2) In the left pane, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
 * 3) Double-click Autoenrollment Settings.
 * 4) Click Do not enroll certificates automatically.
 * 5) Click OK.
 * 6) Repeat steps 2 through 5, but in step 2, expand User Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
 * 7) Close the Group Policy window.

For a computer that is a member of a Windows 2000 or later Active Directory domain, make sure that the domain member has network connectivity with at least one domain controller.

After you have determined that you have good Internet Protocol (IP) connectivity between the member and a domain controller, correct the DNS address in the IP properties of the workstation. To do this, follow these steps:
 * 1) Start the Network Connections tool in Control Panel.
 * 2) Right-click Local Area Connection, and then click Properties.
 * 3) Click Internet Protocol (TCP/IP), and then click Properties.
 * 4) Type the correct DNS address in the Preferred DNS server box.
 * 5) Click OK.



MORE INFORMATION
For additional information about DNS configuration for Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:

291382 Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS

Keywords: kbevent kberrmsg kbprb KB310461

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.