Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Windows Server 2003
 Auto certificate enrollment failing
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

rmoore@afsc.org
Here To Stay

USA
274 Posts
Status: offline

Posted - 06/13/2005 :  11:40:00 AM  Show Profile  Reply with Quote
On about half of my Windows 2003 Standard Edition DCs, I'm getting this error:
"Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied." Source = AutoEnrollment, ID = 13

It's paired with a nearly identical error:
"Automatic certificate enrollment for local system failed to renew one Domain Controller certificate (0x80070005). Access is denied." Source = AutoEnrollment, ID = 16

My other 2003 DCs and my two 2000 DCs are not having these errors. None of these DCs are brand new, all have been in operation without this error for months.

So far I haven't been able to solve it. It's been going on for a while now, and I haven't correlated it with any particular event or change. I've found the suggestion to change the permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. I've found the suggestion to delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache and force a gpupdate. I've found a couple of other things, too, including running both NETDIAG and DCDIAG on the problem DCs (I ran them both on one problem DC and didn't come up with anything). Nothing has helped.

Any suggestions here?

Thanks,
Rob

Edited by - rmoore@afsc.org on 06/13/2005 11:48:28 AM

joe_elway
Honorable But Hopeless Addict

Ireland
7489 Posts
Status: offline

Posted - 06/14/2005 :  08:45:25 AM  Show Profile  Visit joe_elway's Homepage  Reply with Quote
Have you checked the permissions on the certifacte template to see if the machines have enroll permissions?
Go to Top of Page

rmoore@afsc.org
Here To Stay

USA
274 Posts
Status: offline

Posted - 06/15/2005 :  11:09:04 AM  Show Profile  Reply with Quote
On the properties of the Domain Controller Certificate Template, Domain Controllers have the "Enroll" permission allowed.

The funny thing is that some of my DCs aren't having problems and others are.

Rob
Go to Top of Page

joe_elway
Honorable But Hopeless Addict

Ireland
7489 Posts
Status: offline

Posted - 06/16/2005 :  03:19:10 AM  Show Profile  Visit joe_elway's Homepage  Reply with Quote
I guess you are using auto-enroll via GPO. It might be time to do some gpresult and GPMC diagnostics on the DC's not getting the certs. It might also be worth while running a DCDiag on an effected DC.

Edited by - joe_elway on 06/16/2005 03:28:13 AM
Go to Top of Page

rmoore@afsc.org
Here To Stay

USA
274 Posts
Status: offline

Posted - 06/20/2005 :  10:12:59 AM  Show Profile  Reply with Quote
I found the answer. EventID.Net (which is a great resource, if you haven't discovered it yet) had several suggestions about this. One of them finally worked: I added the Domain Controllers group to the CERTSVC_DCOM_ACCESS group and restarted the MSDTC service on the DC which is in charge of certificates. The errors went away.

Rob
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.12 seconds. Snitz Forums 2000