I am getting a Domain Controller Certificate AutoEnrollment error during bootup.

Check this out. Have you changed anything lately to your network?

https://www.experts-exchange.com/questions/21558305/AutoEnrollment-error-Access-denied-when-trying-to-obtain-domain-controller-certificate.html

http://www.eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1 

Yes, recently I virtualized one of our DC's. I backed up the the CA, demoted the DC with DCPromo and then promoted the virtualized DC and reinstalled the Root CA. I also reinstalled DNS, DHCP and WINS.

I did go through both of those links and one thing I was missing was the DC Controller group in 'CERTSVC_DCOM_ACCESS' group. I also did not have Full Control permissions for the MachineKeys subdirectory. I made both changes, ran the certutil setreg command and then stopped and started the certuil services. After I did a reboot and still no luck.

I did notice I can not request a certificate on clients as it says the service is either stopped or I don't have permissions.

I see the CA Exchange (CA Exchange) certificate is expired and I don't know how to renew it.

Do you have any suggestions on what to try next?

Thank you.

Does the clients and the DCs have the new DNS IP address listed under there TCP\IP settings? Do you have any other errors? Is there a A, SOA, and SRV record for this domain? Here are some more links with the same error as you. I attached another for the certificate fix for the Exchange.

http://support.microsoft.com/kb/903220

http://www.eggheadcafe.com/forumarchives/windowsserveractive_directory/nov2005/post24730086.asp

https://www.experts-exchange.com/questions/23445318/Expired-CA-certificate-needs-to-be-renewed-or-reissued.html

Sorry I didn't mean to attach the MS article.

Darius, I have two domain controllers and both have the primary DNS point to themselves and the secondary set to point to the other. The both have a SOA and A record but I am not sure what an SRV record is.

The only difference between DC1 and DC2 is the server that I virtualized into VMWare is holding the FSMO's roles beyond that they are identical.

I did a REPADMIN, DCDIAG, NETDIAG, NSLOOKUP. Basically running everything I can find and it all seems to check out ok with no errors.

Also one more thing. The only computer that is able to request a certificate is the Subordinate CA which is on DC2. DC1 and none of the clients can request a certificate. I get the error that either the CA service isn't started or I don't have permissions. The service is started so that isn't the issue.

Here is some screenshots of what I see happening if that helps at all.

The first is the Event Viewer that shows the error. It happens every 8 hours but it shows twice about 10 seconds apart.

The second is the actual error.

The third is the CA snap-in. I don't know what the "CA Exchange (CAExchange)" certificate is or what it does but it's expired. As far as functionality goes everything works fine from logging into the domain to Exchange working. Also OWA works fine but it's 3rd party certificate. This might have nothing to do with anything but I just wanted to point it out also.

The fourth screenshot shows the expired certifcate which is the dc1-xchg.


Event-Viewer-a.jpg
Event-Viewer-Error-a.jpg
CA-MMC-a.jpg
Expired-Certificate-a.jpg

Is DCOM running?

In the start menu, choose programs, administrative tools, component services.
Then click component services, computers and properties of my computer.
Tab default properties and check enable distributed com on this
computer.

Yes "Enable Distributed COM on this computer" is checked. The second option "Enable COM Internet Services on this computer" is NOT checked.

Darius something new that I have been missing. I started going through the entire event viewer logs and under "DNS Server" on the DC with the issues I get this error every time I reboot. It's never shows up any other time except on a reboot ONLY.
dns-a.jpg

Do you have more then one NIC on the servers?

It's just one NIC and it's virtual (VMWare 3.5) so physically it's just a passthrough on the HP chassis to an external switch. It does look just like a normal NIC to windows though. Physically the hardware is fine since we run several file servers across all the blades with VMotion without any issues.

When we migrated to VMWare on blades someone said don't image and migrate the DC's so I built them from scratch.

Thank you for the help so far. With the questions you ask I keep googling and finding new things but nothing that will fix this issue yet.

Can you do an ipconfig /all for me on both DCs and post?

Here's the information:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC1
   Primary Dns Suffix  . . . . . . . : it.lan
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : it.lan

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-54-BD-4B-C7
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.1.102
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.1.254
   DNS Servers . . . . . . . . . . . : 10.10.1.102
                                       10.10.1.104
   Primary WINS Server . . . . . . . : 10.10.1.102
   Secondary WINS Server . . . . . . : 10.10.1.104

----------------------------------------------------------------------------

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC2
   Primary Dns Suffix  . . . . . . . : it.lan
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : it.lan

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0E-7F-B2-C7-3C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.1.104
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.1.254
   DNS Servers . . . . . . . . . . . : 10.10.1.104
                                       10.10.1.102
   Primary WINS Server . . . . . . . : 10.10.1.104
   Secondary WINS Server . . . . . . : 10.10.1.102

Lets do a couple of things. Change the primary DNS to point to the other DNS server. Do a ipconfig /flushdns then do a ipconfig /registerdns. Restart the netlogon service. Check this article out to see if this applies.

http://windowsitpro.com/article/articleid/92682/when-you-configure-the-primary-dns-suffix-group-policy-setting-on-a-windows-server-2003-based-domain-controller-or-ca-certification-authority-server-you-experience-difficulty.html

Ok I did the steps and it still is failing with the same autoenroll error but the DNS boot error is gone now. Is it better to have the primary DNS point to another server instead of itself??

The second article I don't think applies but not sure. They are static IP's with nothing set in group policy for them. I manage the DC's seperately. The "Append primary and connection specific DNS suffixes" and "Append parent suffixes of the primary DNS suffix" are the options set in the adapter properties on the DNS tab.

Is the expired certificate causing the error or is that error about the actual DC/CA not getting a certificate?

That could be the problem but none of the articles and issues I have experience point to that being the solution. Another thing is the RPC service selected to start automatically? Check to make sure the permissions are correct in the CERTSVC_DCOM_ACCESS Group which should have been created automatically. Make sure the Domain controllers group is added and domain users. Also, make sure the domain controllers are in the DC group. There are tons of cases just like yours but non of the solutions have worked yet so there is something missing. Have you tried forcing the re-enrollment of the DC? Check out the links there is a fix from MS.

https://www.experts-exchange.com/questions/23271777/Getting-Event-Id-13-on-primary-DC-and-secondary-DC.html?sfQueryTermInfo=1+13+autoenrol+event+id

https://www.experts-exchange.com/questions/21632072/AutoEnrollment-error-with-Event-ID-13.html?sfQueryTermInfo=1+13+autoenrol+event+id

https://www.experts-exchange.com/questions/22709141/Windows-2003-AD-SSL-Certificate-Autoenrollment.html

Ok let me try and get some of this information for you. The Remote Procedure Call (RPC) is started and set to automatic. There is another service called Remote Procedure Call (RPC) Locator is NOT started and set to manual.

The 'Domain Controllers' group contains both DC's.

The 'CERTSVC_DCOM_ACCESS' group contains 3 groups. 'Domain Computers' | 'Domain Controllers' and 'Domain Users'

The group was there and I looked at the permissions but I don't know what to compare it against to check them. I'm not sure if that is what you meant by "Check to make sure the permissions are correct in the CERTSVC_DCOM_ACCESS Group which should have been created automatically."

When you say re-enroll do you mean adding the 'Domain Controllers' group to the CERTSVC group and running these commands:
1.) certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
2.) net stop certsvc
3.) net start certsvc

I have done this one several times. I am going on the insanity theory at this point willing to try it again! :)

If you look at the first link there is a solution that will walk you through to see if you can find out what CA the server is trying to use. Have you walked through those steps?

Darius I've been looking around for an answer also. Checking if it has anything to do with VMWare but there doesn't seem to be much there either or something that is an issue. I know this error is beyond the scope of my knowledge and I appreciate all the help. I find it frustrating since it's the only error and everything else seems flawless but I am guessing sooner or later it will cause an issue. I don't quite understand the big picture in what is happening or what it needs to do to autoenroll itself or the proper verbage!

This page should walk you through some troubleshooting steps that I have been trying to explain.

http://blogs.technet.com/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

Some interesting things happened while going through that article. Two new errors popped up in the Event Viewer and the CA Exchange certificate renewed itself. I did a reboot after but the same autoenrollment error is still there.

I also got an error when running the "certutil -cainfo" command. I don't know if they are critical but they were "Error: No CRL for this Cert". They are listed below. I also attached the screenshots of the Event Viewer Errors.

We actually had a consultant come in and setup our original CA it is setup as a Standalone Root CA and NOT a Enterprise CA. I don't know if that makes a difference and both DC's are 2003 Standard and not Enterprise.

All the other permissions and commands seemed to run fine with no problems.

c:\> certutil -cainfo

Exit module count: 1
CA name: mcdc1
Sanitized CA short name (DS name): mcdc1
CA type: 3 -- Stand-alone Root CA
    ENUM_STANDALONE_ROOTCA -- 3
CA cert count: 0xe (14)
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 3 -- Valid
CA cert[1]: 3 -- Valid
CA cert[2]: 3 -- Valid
CA cert[3]: 3 -- Valid
CA cert[4]: 3 -- Valid
CA cert[5]: 3 -- Valid
CA cert[6]: 3 -- Valid
CA cert[7]: 3 -- Valid
CA cert[8]: 3 -- Valid
CA cert[9]: 3 -- Valid
CA cert[10]: 3 -- Valid
CA cert[11]: 3 -- Valid
CA cert[12]: 3 -- Valid
CA cert[13]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 1 -- V1.0
CA cert version[2]: 0x20002 (131074) -- V2.2
CA cert version[3]: 0x30003 (196611) -- V3.3
CA cert version[4]: 0x40004 (262148) -- V4.4
CA cert version[5]: 0x40005 (262149) -- V5.4
CA cert version[6]: 0x60006 (393222) -- V6.6
CA cert version[7]: 0x70007 (458759) -- V7.7
CA cert version[8]: 0x80008 (524296) -- V8.8
CA cert version[9]: 0x90009 (589833) -- V9.9
CA cert version[10]: 0xa000a (655370) -- V10.10
CA cert version[11]: 0xb000b (720907) -- V11.11
CA cert version[12]: 0xc000c (786444) -- V12.12
CA cert version[13]: 0xd000d (851981) -- V13.13
CA cert verify status[0]: 0
CA cert verify status[1]: 0
CA cert verify status[2]: 0
CA cert verify status[3]: 0
CA cert verify status[4]: 0
CA cert verify status[5]: 0
CA cert verify status[6]: 0
CA cert verify status[7]: 0
CA cert verify status[8]: 0
CA cert verify status[9]: 0
CA cert verify status[10]: 0
CA cert verify status[11]: 0
CA cert verify status[12]: 0
CA cert verify status[13]: 0
CRL[0]: 3 -- Valid
CRL[1]: 1 -- Error: No CRL for this Cert
CRL[2]: 3 -- Valid
CRL[3]: 3 -- Valid
CRL[4]: 3 -- Valid
CRL[5]: 1 -- Error: No CRL for this Cert
CRL[6]: 3 -- Valid
CRL[7]: 3 -- Valid
CRL[8]: 3 -- Valid
CRL[9]: 3 -- Valid
CRL[10]: 3 -- Valid
CRL[11]: 3 -- Valid
CRL[12]: 3 -- Valid
CRL[13]: 3 -- Valid
CRL Publish Status[0]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[2]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[3]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[4]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[6]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[7]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[8]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[9]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[10]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[11]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[12]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
CRL Publish Status[13]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
DNS Name: MCDC1.mc.lan
Advanced Server: 0
CertUtil: -CAInfo command completed successfully.

--------------------------------------------------------------


ca-warning-a.jpg
ca-error-a.jpg

Both of those errors are pointing to these steps.

http://technet2.microsoft.com/windowsserver2008/en/library/8ef345f7-a983-4dfc-8275-fcec2e1cc0c91033.mspx?mfr=true

http://technet2.microsoft.com/windowsserver/en/library/d0faf260-f2bc-41a5-8ac6-1240f4c294221033.mspx?mfr=true

http://technet2.microsoft.com/windowsserver2008/en/library/dc7c2db8-762a-44b1-b422-9aef6ce3c0571033.mspx?mfr=true

Here is another one.

http://www.isi.cc/jmcalister/default.aspx

Darius, I have no clue if I am missing the train completely but I don't have a 'Recovery Agents' tab. Is it because it's a Standalone Root CA?

I have 'General', 'Request Handling', 'Subject Name', 'Issuance Requirements', 'Superseded Templates', 'Extensions' and 'Security'. All the templates have the same 6 tabs. I seen a screenshot of the 'Recovery Agents' tab but I just don't have that one on any templates in the CA.

You should still have a Recovery Agent even if the CA is standalone. Have you tried to re-install the CA? You have one VM which is DC1 then you have another phyiscal server DC2, right? Can you run the same tool as above for the Subordinate CA? Have you queried the Domain to view the published CA in AD?

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_cpiz.mspx?mfr=true

Yeah I tried reinstalling the CA and then restoring. I followed this article when I migrated. http://support.microsoft.com/kb/298138 I also restored it again earlier today.

Yes I had to physical boxes and I virtualized DC1 and left DC2 on it's original standalone server.

Here is a screenshot of where the Recovery Tab should be but it's the same on the both boxes. I am sorry I don't know how to query the domain to view the CA in AD. I did go through all the links and steps that you have sent me so for if one of them was it. If I did find an error I tried to post it for you.

I looked through that article and our group policy is setup and has been running four about 4 years so I believe it's correct but I read through it and also checked the settings in group policy.

I see our Exchange server is getting the same exact error now but it seems to be running fine so far.

Here is a screenshot of the tabs I have. Do you think calling Microsoft is going to be the fix? I have read so many articles that my head is swimming in information! :) This has to be one of the more elusive problems I have ran into.




Recovery-Tab-a.jpg

I kept the same name and also the same IP. I'll try to explain what he did and hopefully it makes a little sense.

When I called Microsoft and they fixed things fairly quick. There was two big things wrong. One was NOT even on the Root CA it was on the SubCA in the Component Services. The 'Edit Limits' in both the 'Access Permissions' and 'Launch and Activiation Permissions' had a corrupt object. It was missing the CERTSVC_DCOM_ACCESS group (It showed an uknown object i.e. S-123-454-3453) in both places. So we added the group and gave them Local Access and Remote Access under 'Acess Permissions' | 'Edit Limits' and Local Activation and Remote Activation under 'Launch and Activation Permissions' | 'Edit Limits'.

I might explain this one wrong but the second thing was the certifcate hash didn't match with the certificate in the Trusted Store so it wasn't passing the Revocation? So we created a new certificate on the Root CA and exported it manually. Then imported it into the SubCA and everything started working.

We also manually imported the certificates into group policy 'Trusted Root Certicate Authorities'.

We are only using Windows 2003 Standard so we have version 1 templates vs version 2 that don't allow auto enrollment but it's done through group policy.

I really appreciate all the help with walking through all the steps. The first hour we covered everything that you had helped me with which made it a lot more understandable going through it.

Thanks again Darius!

Thanks Darius for all your help I really appreciate everything you did. I hope you have a great evening!