AD Enrollment failing after CA Migration when not removing existing server

Been awhile since I posted.. In that time I’ve moved home to Wellington, and started a new job that’s a mix of Infrastructure Engineer, DevOps Engineer, and general jack of all trades.  At my new job, the existing infrastructure was sorely in need of some TLC, and one of the things I had to tackle was replacing a 2008 R2 box that was serving as the sole DC, WSUS, and CA server among other things. For various reasons, I wasn’t able to migrate all the services off at once and do a big bang migration, so each service had to be done one at a time. After migrating the CA services over to a new 2016 box, everything was working great apart from AD Auto enrollment, which was failing with a fairly generic RPC connection error. TechNET and several CA migration guides talk about removing the source server from the domain as part of the process, but as the box still has other roles, this wasn’t possible. I strongly suspect this issue wouldn’t have cropped up if I was able to remove the PC from the domain, but what I did to solve the issue was this.

Open up ADSI edit, connect to the Configuration context, navigate to “CN=Enrollment Services,CN=Public Key Services,CN=Services”, select the pKIEnrollment object, and modify the DNShostname to be the new server. After that AD enrollment worked perfectly.. Hope this is useful to someone.

Leave a Reply

Your email address will not be published.