Strange DNS issues & Auto Enrollment Failing, EventID 13

I recently enabled certificate services on my two DCs, both running Windows 2003 Standard Server. Now I am receiving errors on all desktops machines saying:

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

It also a long time (up to 4-5 minutes in some cases) to at the Applying Personal Settings portion of a user logon. There are also other messages in the event log relating to being unable to contact a DC, or that the specified domain did not respond, etc so I started digging through DNS to make sure it was configured correctly.

Here is my setup:
- DC1 and DC2 are set to use 127.0.0.1 in their TCP/IP network settings. The machines also both function as DHCP and DNS servers.
- The "006 DNS Servers" setting on both DHCP servers only has the internal IP addresses of both DCs.
- Under the Properties -> Forwarders tab of both DNS servers, the external IP addresses of my ISP's DNS servers are specified.

Now when I do an "ipconfig /all" from any machine using DHCP, it shows the external IP addresses for it's DNS servers. If I give the machine [on which I just did the "ipconfig /all"] a static IP and specify the internal DNS server IPs and reboot, no errors show up in the event log whatsoever.

Shouldn't DHCP be giving the clients internal DNS server IPs and not external ones? And is this even related to the certificate auto enrollment issue? I assume it is because all those errors go away when I give the client machine a static IP.
LVL 1
alan2938Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Darius GhassemConnect With a Mentor Commented:
Router isn't DHCP enabled? Here are a couple of steps you can take to help troubleshoot two DHCP servers. First thing disable both scopes on the DHCP servers see if you can ipconfig /release and ipconfig /renew. Make sure the client has the Automatic Retrieve on both IP Config and DNS IP addresses. See if you get a IP address with both DHCP servers off. Also, try on two different clients.

Both scopes have no external IP address listed on them.
0
 
Darius GhassemCommented:
You must configure the DHCP scope option to give the DNS servers that are internal IP addresses to the clients. Also, it is good practice not to give your DNS servers there own IP address as 127.0.0.1 which can cause problems. Also, for the primary DNS server for each server put the DNS server IP address for the other DNS server. For an example DNS1 should have DNS2 has the primary DNS server. To fix DCHP scope go into DHCP and under scope options enter the two DNS servers that are internal in the scope options for your clients.
0
 
Darius GhassemCommented:
Also, Are both DHCP servers on the same subnet because you should only have one DHCP per subent because of IP conflicts?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
alan2938Author Commented:
See my setup above... the scope of the DHCP servers are set to use the internal server addresses.

Both DHCP servers are on the same subnet, but one has the 101-150 pool and the other has 151-200 pool so they do not conflict. I will change the DNS TCP/IP settings for each DC to see if that helps.
0
 
Darius GhassemCommented:
I understand that it has both internal DNS servers listed but does it have the external DNS servers listed all. If your DHCP scope is giving the DHCP clients the External DNS server IP address then it must be listed some where in DHCP. Check DHCP.
0
 
Henrik JohanssonSystems engineerCommented:
For the DCs, set them to use both DNS servers (not just itself or the other server).
Is the clients set to obtain DNS address automatic? Even if you use automatic IP assignment, you can configure static DNS setting.
Is the scope option set on server level and another value on scope level?

It could also be a GPO configuring the setting through 'Computer Configuration\Administrative Templates\Network\DNS Client\DNS Servers' overriding the DHCP settings. Run rsop.msc
0
 
alan2938Author Commented:
No, the DHCP scope only lists my two internal DNS servers.

Henjoh, when I do rsop.msc on both a client and the servers, there is no "Administrative Templates" under Computer Configuration. I inherited this network and I doubt that the people previous to me knew how to use GP to set DNS servers. Plus, we just switched to a new ISP about three weeks ago which included new DNS servers. Those new servers are the ones showing up on the client machines and no one has edited GP.
dhcp-scope.GIF
0
 
alan2938Author Commented:
Thanks for the suggestion! I installed a new firewall last week and DHCP was turned on. That's how the clients were getting the external DNS settings!

But I have a separate, yet related issue to resolve regarding my reverse DNS zone now. Please take a look: http://www.experts-exchange.com/Networking/Protocols/DNS/Q_23518079.html

0
All Courses

From novice to tech pro — start learning today.