EventID's 70, 68, 67, 6 - CertificateServicesClient-CertEnroll

since upgrading windows server 2003 certificate server 2012r2 ad cs server, have seen few anomalies. started on desktops, have seen on servers also. series of errors in application log:

70 - certificate enrollment local system failed because no valid policy can obtained policy servers id {dffa2e01-d71f-4a3f-8414-2d5ab6eea4b4}

68 - certificate enrollment local system failed in authentication policy servers id {dffa2e01-d71f-4a3f-8414-2d5ab6eea4b4}  (a specified logon session not exist. may have been terminated. 0x80070520 (win32: 1312))

67 - certificate enrollment local system failed load policy policy servers id  specified logon session not exist. may have been terminated. 0x80070520 (win32: 1312) ()

6 - automatic certificate enrollment local system failed (0x80070520) specified logon session not exist. may have been terminated.

it followed kerberos security-kerberos error 4 in system log host. @ point impossible login server domain account. resolution reboot system, have been fortunate enough far have happened off hours servers.

during research, there have been indications related time sync issues, have found no evidence of this. won't rule out completely, servers virtualized , synced host, if 1 off, expect host off along other servers.

i curious referencing "policy servers id {dffa2e01-d71f-4a3f-8414-2d5ab6eea4b4}"? have searched registry , adsi edit no luck finding guid. if refers old server, information stored new server?

i hope figure out before critical server experiences issue during business hours.

so active directory team blogged issue:

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

at least not one.

Windows Server  >  Windows Server General Forum