I recently enabled certificate services on my two DCs, both running Windows 2003 Standard Server. Now I am receiving errors on all desktops machines saying:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
It also a long time (up to 4-5 minutes in some cases) to at the Applying Personal Settings portion of a user logon. There are also other messages in the event log relating to being unable to contact a DC, or that the specified domain did not respond, etc so I started digging through DNS to make sure it was configured correctly.
Here is my setup:
- DC1 and DC2 are set to use 127.0.0.1 in their TCP/IP network settings. The machines also both function as DHCP and DNS servers.
- The "006 DNS Servers" setting on both DHCP servers only has the internal IP addresses of both DCs.
- Under the Properties -> Forwarders tab of both DNS servers, the external IP addresses of my ISP's DNS servers are specified.
Now when I do an "ipconfig /all" from any machine using DHCP, it shows the external IP addresses for it's DNS servers. If I give the machine [on which I just did the "ipconfig /all"] a static IP and specify the internal DNS server IPs and reboot, no errors show up in the event log whatsoever.
Shouldn't DHCP be giving the clients internal DNS server IPs and not external ones? And is this even related to the certificate auto enrollment issue? I assume it is because all those errors go away when I give the client machine a static IP.