数字证书过期不能更新证书。windows 2000域+exchange 2003。windows 2000 的dc，安装证书服务，exchange 2003 作为member server加入域，开始时从dc上正常申请了证书，现在exchange上的证书过期了，通过iis提交更新证书申请后，没反应，不能更新证书，在dc上通过http://localhost/certsrv访问，提示输入用户名等信息，输入域管理员administrator后提示无权访问。dc上证书服务正常启动。请问这是为啥？怎么解决？

回答：根据您的描述，我对您提出的问题的理解是：您的Exchange Server 2003不能从DC上更新证书。您看到的文章来自活动目录seo http://gnaw0725.blogbus.com/c1404551/
据我所知，我们能够通过组策略来自动更新域中所有客户端的证书：
1.  Open the Active Directory Users and Computers MMC snap-in.
2.  Right-click the site, domain, or OU that you want to configure Group Policy for, and then click Properties.
3.  Click the Group Policy tab, and then click Edit
4．Click User Configuration, Windows Settings, Security Settings, and finally Public Key Policies. In Object Type, right-click Autoenrollment Settings, and then click Properties.
5．Ensure that Enroll certificates automatically is selected as well as the two check boxes under this option. Automatic renewal, certificate cleanup, and publishing in Active Directory are only enabled with all options selected
- Renew expired certificates, update pending certificates, and remove revoked certificates
- Update certificate that use certificate templates
6．Click OK. Autoenrollment is now enabled.
7. Refresh Group Policy by executing the following command or waiting for the default refresh timeout to expire.
gpupdate.exe /force 您看到的文章来自活动目录seo http://gnaw0725.blogbus.com/c1404551/

How to Configure Group Policy to enable certificate autoenrollment
http://technet2.microsoft.com/WindowsServer/en/library/c367ca76-4976-4b97-84f1-cf5f589f30241033.mspx

赵莹(Ken Zhao) MCSE 2000 微软全球技术支持中心

证书更新自动注册的更多文章请参考
组策略自动分发电子邮件证书|活动目录域组策略配置证书自动注册活动目录SEO
域用户自动注册/更新个人证书活动目录SEO
DC报错EVENT ID13|ca证书服务器自动注册活动目录SEO
迁移证书服务器|替换重新部署2003企业根CA 活动目录SEO
企业CA证书服务器|两个不同角色的CA能否在AD中同时存在活动目录SEO

证书迁移|迁移企业CA证书服务器活动目录SEO
如何删除企业中不存在的根证书从活动目录AD中活动目录SEO
Vista不能安装证书活动目录SEO
web服务器ssl验证的证书过期了怎么办|iis证书更新活动目录SEO
http://www.googlesyndicatedsearch.com/u/blogbus?q=site:gnaw0725.blogbus.com+%E8%AF%81%E4%B9%A6&hl=zh-CN&newwindow=1&ie=UTF-8&start=20&sa=N
－－－gnaw0725