Solved

Strange DNS issues & Auto Enrollment Failing, EventID 13

Posted on 2008-06-25
8
611 Views
Last Modified: 2011-10-19
I recently enabled certificate services on my two DCs, both running Windows 2003 Standard Server. Now I am receiving errors on all desktops machines saying:

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

It also a long time (up to 4-5 minutes in some cases) to at the Applying Personal Settings portion of a user logon. There are also other messages in the event log relating to being unable to contact a DC, or that the specified domain did not respond, etc so I started digging through DNS to make sure it was configured correctly.

Here is my setup:
- DC1 and DC2 are set to use 127.0.0.1 in their TCP/IP network settings. The machines also both function as DHCP and DNS servers.
- The "006 DNS Servers" setting on both DHCP servers only has the internal IP addresses of both DCs.
- Under the Properties -> Forwarders tab of both DNS servers, the external IP addresses of my ISP's DNS servers are specified.

Now when I do an "ipconfig /all" from any machine using DHCP, it shows the external IP addresses for it's DNS servers. If I give the machine [on which I just did the "ipconfig /all"] a static IP and specify the internal DNS server IPs and reboot, no errors show up in the event log whatsoever.

Shouldn't DHCP be giving the clients internal DNS server IPs and not external ones? And is this even related to the certificate auto enrollment issue? I assume it is because all those errors go away when I give the client machine a static IP.
0
Comment
Question by:alan2938
  • 4
  • 3
8 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You must configure the DHCP scope option to give the DNS servers that are internal IP addresses to the clients. Also, it is good practice not to give your DNS servers there own IP address as 127.0.0.1 which can cause problems. Also, for the primary DNS server for each server put the DNS server IP address for the other DNS server. For an example DNS1 should have DNS2 has the primary DNS server. To fix DCHP scope go into DHCP and under scope options enter the two DNS servers that are internal in the scope options for your clients.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Also, Are both DHCP servers on the same subnet because you should only have one DHCP per subent because of IP conflicts?
0
 
LVL 1

Author Comment

by:alan2938
Comment Utility
See my setup above... the scope of the DHCP servers are set to use the internal server addresses.

Both DHCP servers are on the same subnet, but one has the 101-150 pool and the other has 151-200 pool so they do not conflict. I will change the DNS TCP/IP settings for each DC to see if that helps.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I understand that it has both internal DNS servers listed but does it have the external DNS servers listed all. If your DHCP scope is giving the DHCP clients the External DNS server IP address then it must be listed some where in DHCP. Check DHCP.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
For the DCs, set them to use both DNS servers (not just itself or the other server).
Is the clients set to obtain DNS address automatic? Even if you use automatic IP assignment, you can configure static DNS setting.
Is the scope option set on server level and another value on scope level?

It could also be a GPO configuring the setting through 'Computer Configuration\Administrative Templates\Network\DNS Client\DNS Servers' overriding the DHCP settings. Run rsop.msc
0
 
LVL 1

Author Comment

by:alan2938
Comment Utility
No, the DHCP scope only lists my two internal DNS servers.

Henjoh, when I do rsop.msc on both a client and the servers, there is no "Administrative Templates" under Computer Configuration. I inherited this network and I doubt that the people previous to me knew how to use GP to set DNS servers. Plus, we just switched to a new ISP about three weeks ago which included new DNS servers. Those new servers are the ones showing up on the client machines and no one has edited GP.
dhcp-scope.GIF
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
Router isn't DHCP enabled? Here are a couple of steps you can take to help troubleshoot two DHCP servers. First thing disable both scopes on the DHCP servers see if you can ipconfig /release and ipconfig /renew. Make sure the client has the Automatic Retrieve on both IP Config and DNS IP addresses. See if you get a IP address with both DHCP servers off. Also, try on two different clients.

Both scopes have no external IP address listed on them.
0
 
LVL 1

Author Comment

by:alan2938
Comment Utility
Thanks for the suggestion! I installed a new firewall last week and DHCP was turned on. That's how the clients were getting the external DNS settings!

But I have a separate, yet related issue to resolve regarding my reverse DNS zone now. Please take a look: http://www.experts-exchange.com/Networking/Protocols/DNS/Q_23518079.html

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now