Results 1 to 4 of 4

Thread: Automatic certificate enrollment for local system failed

  1. #1
    Join Date
    Oct 2005

    Automatic certificate enrollment for local system failed

    Hi, in our Office we had setup 2 domain controllers running with Windows 2003 SP1. We did this a year ago. Out of these two, on first domain have installed certificate service and configured Certificate auto enrollment using Group Policy. So far it was working great without any issues or problem.

    But now, after a year, we started getting error on second domain and this occurs every 8 hours. This is what I can see in the event viewer:
    Event Type: Error
    Event Source: AutoEnrollment
    Event Category: None
    Event ID: 13
    Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
    Do you guys have any idea what could be the problem? Please help me fixing this out. Many thanks.

  2. #2
    Join Date
    Sep 2004
    Windows 2K3 Server with SP1 has introduces few enhanced default security settings for the DCOM protocol that provides an administrator independent control over local and remote permissions for starting COM servers, activating COM server settings, and accessing COM servers. You can get more info and solutions about this at

  3. #3
    Join Date
    Feb 2009
    Naturally, if I try to add the CERTSVC_DCOM_ACCESS group using the method suggested in the Microsoft KB article (

    certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc

    I get the following error on each DC because I have no certificate services on those or on any other member server:

    C:\>certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
    CertUtil: The system cannot find the file specified.

    Every post I have read so far seems to assume that those with this problem *have* certificate services installed somewhere and that isn't necessarily true. When Win2003 SP1 is installed, is it supposed to automatically add the CERTSVC_DCOM_ACCESS groupto DCs regardless of whether there are any Cert Servers, or is it a pre-requisite of the service pack that I first have installed a Cert Server?

  4. #4
    Join Date
    May 2010

    Re: Automatic certificate enrollment for local system failed

    I am receiving a similar error, and also have not installed Certificate Services... is this required.. I would guess if i do not have it (CA) installed I would just communicate with my DC (between DC), non-encrypted.

Similar Threads

  1. Certificate authentication failed error how to fix that
    By Rounder1 in forum Networking & Security
    Replies: 3
    Last Post: 08-01-2012, 11:05 AM
  2. Replies: 5
    Last Post: 16-08-2011, 12:50 PM
  3. Replies: 1
    Last Post: 11-11-2008, 02:35 PM
  4. IAS and RAS server certificate enrollment
    By AngerEyes in forum Windows Security
    Replies: 3
    Last Post: 27-05-2008, 11:56 PM
  5. Replies: 4
    Last Post: 29-08-2005, 02:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts