autoenrollment for domain controllers fail after service pack 1 install

We have a single windows domain and we are in the procees of moving to a windows server 2003 domain functional level. We have 3 windows server 2003 domain controllers, 2 have been in place ("bighill", and "yosemite" which is also the certificate authority) and the last one (angelscamp) I recently built to replace a 2000 server DC. I rolled out windows server 2003 service pack 1 to the 2 DC's that were in place and also to the new DC as I was preparing it. I promoted the new 2003 server to a DC and began recieving the follwoing error in the application log of the new DC

"Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Date:            4/25/2005
Time:            4:52:39 PM
User:            N/A
Computer:      ANGELSCAMP
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

Obviously the new domain controller was contacting  the Certifiacte Authority to obtain a Domain Controller certificate and being denied access. I turned up the logging level for Autoenrollment on the DC and began revieving this error along with the previous one

"Event Type:      Warning
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      17
Date:            4/25/2005
Time:            4:52:39 PM
User:            N/A
Computer:      ANGELSCAMP
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate from certificate authority IT Dept Front Porch on yosemite.fpdomain.com (0x80070005).  Access is denied.
  Another certificate authority will be contacted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

The Certificate Authority is one of the DC's that recently upgraded to 2003 service pack 1 and has issued Domain Controller certificates in the past with no problem. I tried changing some permissions on the CA using the information from this article http://forums.techarena.in/showthread.php?t=37573 that suggested checking ACL's for "%system drive%\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" and also tried changing permissions for the certificate templates on the CA with no success, and I tried requsting the certificate from within the "Certificates" mmc on the new DC. I also tried to request a domain controller certificate for the other domain controller "Bighill" (which already has a domain controller certificate that was previously issued before the SP1 upgrade) by using the "certificates" mmc on BigHill and choosing "request certificate with the same key", this failed with the same "access denied" error. I finally removed windows server 2003 Service Pack 1 from the CA and the CA immediately issued the new Domain controller certificate. I want to keep our service packs up to date, however if certificates can't be issued then we have serious problem (it may be more than just domain controller certificates, we didn't try requesting any user certificates) . Any Ideas as to why our CA won't issue domain controller certificates with windows 2003 service pack 1 installed? Thanks in advance!