[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

autoenrollment for domain controllers fail after service pack 1 install

We have a single windows domain and we are in the procees of moving to a windows server 2003 domain functional level. We have 3 windows server 2003 domain controllers, 2 have been in place ("bighill", and "yosemite" which is also the certificate authority) and the last one (angelscamp) I recently built to replace a 2000 server DC. I rolled out windows server 2003 service pack 1 to the 2 DC's that were in place and also to the new DC as I was preparing it. I promoted the new 2003 server to a DC and began recieving the follwoing error in the application log of the new DC

"Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Date:            4/25/2005
Time:            4:52:39 PM
User:            N/A
Computer:      ANGELSCAMP
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

Obviously the new domain controller was contacting  the Certifiacte Authority to obtain a Domain Controller certificate and being denied access. I turned up the logging level for Autoenrollment on the DC and began revieving this error along with the previous one

"Event Type:      Warning
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      17
Date:            4/25/2005
Time:            4:52:39 PM
User:            N/A
Computer:      ANGELSCAMP
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate from certificate authority IT Dept Front Porch on yosemite.fpdomain.com (0x80070005).  Access is denied.
  Another certificate authority will be contacted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

The Certificate Authority is one of the DC's that recently upgraded to 2003 service pack 1 and has issued Domain Controller certificates in the past with no problem. I tried changing some permissions on the CA using the information from this article http://forums.techarena.in/showthread.php?t=37573 that suggested checking ACL's for "%system drive%\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" and also tried changing permissions for the certificate templates on the CA with no success, and I tried requsting the certificate from within the "Certificates" mmc on the new DC. I also tried to request a domain controller certificate for the other domain controller "Bighill" (which already has a domain controller certificate that was previously issued before the SP1 upgrade) by using the "certificates" mmc on BigHill and choosing "request certificate with the same key", this failed with the same "access denied" error. I finally removed windows server 2003 Service Pack 1 from the CA and the CA immediately issued the new Domain controller certificate. I want to keep our service packs up to date, however if certificates can't be issued then we have serious problem (it may be more than just domain controller certificates, we didn't try requesting any user certificates) . Any Ideas as to why our CA won't issue domain controller certificates with windows 2003 service pack 1 installed? Thanks in advance!
0
fpodmain
Asked:
fpodmain
  • 3
1 Solution
 
Netman66Commented:
Try this at a CMD prompt:

1.      certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
2.      net stop certsvc
3.      net start certsvc

This is from the release notes over here: http://support.microsoft.com/kb/889101

Specifically, it mentions this in the section at the end under this heading: "Certificate Services: Effects of security enhancements to the DCOM protocol"

Advise.
0
 
Netman66Commented:
I should mention that these commands need to be run after the installation of SP1 - noted, since you removed it already.

0
 
fpodmainAuthor Commented:
I reinstalled SP1 and followed the commands from the KB article and that did the trick. I will certainly check the release notes in the future before a Service pack install! I appreciate the help, as I have been banging my head on the table for about 3 days on this issue.

Just a note for anyone else in the same situation: after I issued the commands it still didn't work right away, I refreshed GP and did replicated AD and it still was giving me the "acces denied error". I came back about 4 hours later and tried again and it was working, so something had to replicate. Again thanks!!!
0
 
Netman66Commented:
No problem!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now