Why is autoenrollment only happening if initiated manually through the MMC?
We resolved the following case recently:
On our W2k8 R2 Domain Controllers, autoenrollment is not working even if all the permissions are correct and the CA’s are allowed to issue the correct templates. The funny thing is that if we open the Certificates MMC snap-in, right-click the Certificates node, choose All Tasks/Automatically Enroll and Retrieve Certificates we are able to enroll for the certificates.
Our W2k8 R2 member servers have no problems autoenrolling.
My colleague Jan (yes, the same Jan as before – busy as always) determined the following:
On Vista+ (Windows 7 and Windows Server 2008 R2) the autoenrollment functionality has been moved into Scheduled Tasks.
If you open up the Task Scheduler and expand down as follows:
+Task Scheduler Library
+++Microsoft
++++Windows
+++++CertificateServicesClient
You’ll see 3 separate tasks related to autoenrollment:
SystemTask |
Triggers autoenrollment on Group Policy EventID 1502, at task modification and System startup and every 8 hours after that |
UserTask |
Triggers autoenrollment on Group Policy EventID 1503, at task modification and user logon and every 8 hours after that |
UserTask-Roam |
Triggers autoenrollment on workstation lock and unlock events |
If the task scheduler service is stopped or disabled it means that the autoenrollment triggers will never be hit. This also means that the MMC-initiated autoenrollment is in fact kicking off one of these tasks which bypasses the task scheduler.
In our case, the customer was applying a Group Policy to the DC’s which among other things Disabled the Task Scheduler service. Once that was removed, Autoenrollment started working for the DC’s again.
In short; parts of the OS rely on the Task Scheduler service, it is not advisable to disable it.
Description of the scheduled tasks in Windows Vista
http://support.microsoft.com/kb/939039