Naturally, if I try to add the CERTSVC_DCOM_ACCESS group using the method suggested in the Microsoft KB article (http://support.microsoft.com/kb/903220/en-us):
certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
I get the following error on each DC because I have no certificate services on those or on any other member server:
C:\>certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
Every post I have read so far seems to assume that those with this problem *have* certificate services installed somewhere and that isn't necessarily true. When Win2003 SP1 is installed, is it supposed to automatically add the CERTSVC_DCOM_ACCESS groupto DCs regardless of whether there are any Cert Servers, or is it a pre-requisite of the service pack that I first have installed a Cert Server?