Automatic certificate enrollment for local system failed

[criscent]

Sponsored Links

Hi, in our Office we had setup 2 domain controllers running with Windows 2003 SP1. We did this a year ago. Out of these two, on first domain have installed certificate service and configured Certificate auto enrollment using Group Policy. So far it was working great without any issues or problem.

But now, after a year, we started getting error on second domain and this occurs every 8 hours. This is what I can see in the event viewer:

Quote:

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

Do you guys have any idea what could be the problem? Please help me fixing this out. Many thanks.

[Bauer's]

Windows 2K3 Server with SP1 has introduces few enhanced default security settings for the DCOM protocol that provides an administrator independent control over local and remote permissions for starting COM servers, activating COM server settings, and accessing COM servers. You can get more info and solutions about this at http://support.microsoft.com/kb/903220/en-us

[jmattern]

Naturally, if I try to add the CERTSVC_DCOM_ACCESS group using the method suggested in the Microsoft KB article (http://support.microsoft.com/kb/903220/en-us):

certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

I get the following error on each DC because I have no certificate services on those or on any other member server:

C:\>certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Every post I have read so far seems to assume that those with this problem *have* certificate services installed somewhere and that isn't necessarily true. When Win2003 SP1 is installed, is it supposed to automatically add the CERTSVC_DCOM_ACCESS groupto DCs regardless of whether there are any Cert Servers, or is it a pre-requisite of the service pack that I first have installed a Cert Server?

[schlesin]

I am receiving a similar error, and also have not installed Certificate Services... is this required.. I would guess if i do not have it (CA) installed I would just communicate with my DC (between DC), non-encrypted.