Microsoft PKI / CERTSVC_DCOM_ACCESS Group
Posted on 2008-10-22
I am installing new Certificate Authorities on Domain Controllers running Windows 2003 R2 SP2. The requirement I have from my customer is to have a CA in every site so that management of certificates can be done at a local level (I know there are other ways to do this, but this is the requirements). When the first CA was installed on a DC, it creates the group called CERTSVC_DCOM_ACCESS. Because it's on a DC, this is a Domain Local group, not simply a local group as it would be on a member server. After installation, I added the Domain Controllers builtin group to the Certsvc group.
As each CA is installed, it enters live service. My problem is this: when a new CA is installed, I thought at first that it resets group membership, which would be bad enough in itself. In actual fact, after having checked with the SID-2-User tool, I find that the group is actually getting deleted and recreated on every install! This is presenting me with a few problems to say the least, because when that happens, it knocks out autoenrollment on the existing CAs in the estate, which in turn gnerates several complaints my way.
Has anyone ever seen this behaviour at all? I can't find anything about it from Microsoft. I haven't logged a call yet, but I'm sure I can't be the only one in the world with this problem?? Does anyone know whether there's a fix?
Any help would be hugely appreciated. Thanks