Windows Event IDs 6, 13, 82, & 10028: Cleaning up after the removal of a server that was hosting the Active Directory Certificate Services (AD CS) role

This post assumes that only one server was hosting the AD CS role and no certificates issued by this server are currently in use. If you have certificates in use, then please see the links at the bottom of the page.

The following items appear in Event Viewer with the same (or very close) timestamp, and events #10028 & #13 reference a server that no longer exists (highlighted in green in the 2nd and 4th screenshots that follow):

Event ID #6

Event ID #13

Event ID #82

Event ID #10028

This can happen when a Domain Controller or other Windows server hosting the Active Directory Certificate Services (AD CS) role is removed from the domain improperly. Sometimes this is unavoidable, for example if a server crashes. The solution is to remove the nonexistent server via Active Directory Sites and Services.

Step #1: Open Active Directory Sites and Services and show the “Services Node”

Select the top-most node in the tree,  then click on 'View' and select 'Show Services Node'

Select the top-most node in the tree, then click on ‘View’ and select ‘Show Services Node’

Step #2: Delete the offending (non-existent) server from the AIA, Enrollment Services, Certification Authorities, and KRA nodes

Note: it is absolutely critical that you do not delete any entries for servers that currently exist on the network!

Remove the non-existent server from the AIA node

Delete the non-existent server from the Enrollment Services node

Delete the non-existent server from the Certificate Authorities node

Delete the non-existent server from the KRA node

Step #3: If no other AD CS servers exist on the network, then remove all Certificate Templates. If other AD CS servers exist, then skip this step.

Note: Seriously — do NOT do this part if any other AD CS servers exist on the network. You have been warned. If there are any other AD CS servers, they’ll show up when you remove the non-existent server in step #2.

Delete Certificate Templates

Step #4: Cleanup

Run the following commands from an elevated command prompt:

certutil -dcinfo deleteBad
gpupdate /force

Further Reading

How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects

How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003

Certificate enrollment fails with error: 0x800706ba the RPC server is unavailable

In my situation, this error was caused by insufficient permissions. Basically the “fix” was to make sure that the Authenticated Users and Domain Controllers groups were added to the Builtin/Certificate Service DCOM Access group and that the following groups: INTERACTIVE, Domain Users, and Authenticated Users were all members of the Builtin/Users group. For reference, this was happening on two Windows Server 2012 Domain Controllers — one was the CA and the other (the one that produced the error) was trying to request a new certificate.