On about half of my Windows 2003 Standard Edition DCs, I'm getting this error: "Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied." Source = AutoEnrollment, ID = 13
It's paired with a nearly identical error: "Automatic certificate enrollment for local system failed to renew one Domain Controller certificate (0x80070005). Access is denied." Source = AutoEnrollment, ID = 16
My other 2003 DCs and my two 2000 DCs are not having these errors. None of these DCs are brand new, all have been in operation without this error for months.
So far I haven't been able to solve it. It's been going on for a while now, and I haven't correlated it with any particular event or change. I've found the suggestion to change the permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. I've found the suggestion to delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache and force a gpupdate. I've found a couple of other things, too, including running both NETDIAG and DCDIAG on the problem DCs (I ran them both on one problem DC and didn't come up with anything). Nothing has helped.
Any suggestions here?
Edited by - firstname.lastname@example.org on 06/13/2005 11:48:28 AM
I found the answer. EventID.Net (which is a great resource, if you haven't discovered it yet) had several suggestions about this. One of them finally worked: I added the Domain Controllers group to the CERTSVC_DCOM_ACCESS group and restarted the MSDTC service on the DC which is in charge of certificates. The errors went away.