• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

Do I need to to install 'Certificate Services' on my Windows 2003 additional domain controler?

The reason I ask this, I've exhausted all my options for solving the following error that continues to appear in the event viewer (every 8 hours) on my additional domain controller. Both servers have service pack 2 installed.

Event ID: 13 Automatic certificate enrollments for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

These are links to the sites that I've followed to help resolve this error:

http://www.eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ab4ddc37-c0cf-4ff7-b42b-afa617b21eb0/
0
Greglan
Asked:
Greglan
  • 7
  • 7
  • 3
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
Did you recently apply SP1 to your Windows 2003 servers?
0
 
Justin OwensITIL Problem ManagerCommented:
0
 
GreglanAuthor Commented:
Acctually I applied service pack 2 a long time ago. This error started appearing a few days ago. Started same day I made this server an additional domain controler.
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
Justin OwensITIL Problem ManagerCommented:
Is your old DC the same version of 2003 as the new one? (R2 verses original, for example)?
0
 
GreglanAuthor Commented:
If you read my question, you would of found this link already there!. And I've already gone through all items, step by step.
0
 
GreglanAuthor Commented:
Both the SBS DC, and the second DC are not the R2's. And they both have service pack 2 installed.
0
 
Justin OwensITIL Problem ManagerCommented:
Greglan,

Everyone who answers questions here attempts to give a best effort.  Remember we are all volunteer.  I am sorry that I missed your question's link on my first pass, and I am sure you are frustrated by your situation, but please offer a little extra grace to people who help you on this forum.

Justin
0
 
Justin OwensITIL Problem ManagerCommented:
SBS changes things a little.  Technically, you can add a second domain controller to an SBS 2003 server.  You have to make sure that the SBS 2003 server maintains all FSMO roles.  You also need to make sure that the second DC you built is a Global Catalog (GC) server.  Have you verified this, or do you need direction on how to do it?

Justin
0
 
ParanormasticCryptographic EngineerCommented:
Did you import the root CA certificate to the trusted roots store?  Open Certificates MMC (once under computer, once for user) and check the trusted roots list for your root CA cert just to make sure.

Is it for a child domain or something?  Make sure that it is part of the DOMAIN\Domain Controllers  group for the appropriate domain, then check the CERTSRV_DCOM_ACCESS group to make sure that the DOMAIN\Domain Controllers group is actually a member of that group.  The certsrv_dcom_access group may be either a local security group on the CA box if it is not a DC, or if the CA is on a DC then it will be an AD domain local security group.

Otherwise, on the new DC try running 'certutil -dcinfo deletebad' then 'certutil -pulse', check the CA for the cert to be issued, then reboot the DC to apply the new cert (yes need to reboot not just bounce a service).

If you don't think you have a CA, then maybe you do - open certsrv.msc and redirect to browse for another computer and you should see it listed.  Can also check in AD Sites & Services if you View Services Node - expand services - public key services.

You should not install a CA on a DC if you can ever help it.
0
 
Justin OwensITIL Problem ManagerCommented:
Paranormastic,

Greglan has two DCs: a SBS server and a standard server.  Because SBS is always primary, it negates the possibility of a child domain in this scenario, if I understand SBS correctly.

Cheers,

Justin
0
 
ParanormasticCryptographic EngineerCommented:
@drultima - thanks for the correction on that
0
 
GreglanAuthor Commented:
In responspe to DrUltima's question; Under 'Active Directory Sites and Services' both servers have the 'Global Catalog' checked off under the NTDS settings property.
I ran NETDIAG and DCDIAG on both servers and everthing 'passed'. I also ran 'Netdom query fsmo'  and all 5 roles show the SBS server as the owner.

Is there anything else I should check for this?
0
 
Justin OwensITIL Problem ManagerCommented:
Diregard the child domain comment and run through what Paranormastic suggested, because that is a good next step.

Justin
0
 
GreglanAuthor Commented:
Paranormastic,
After running 'certutil -dcinfo deletebad' on the new dc, and 'certutil -pulse' the log file immediately generated a Succesfull AutoEnrolment on from the new DC server. The utils worked without rebooting, but I still rebooted anyways just in case. Everything seems to be fine now.

However, after running the command 'certutil -dcinfo deletebad' it did state (and I have a screen shot if you need to see it) that it deleted the KDC cert from the SBS server, is this correct?

On the SBS server I now get the following events logged;
Event ID: 20; The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.
Event ID: 77; The "Windows default" Policy Module logged the following warning: The Active Directory connection to BLITZ2SERVER has been reestablished to BLITZ2SERVER.

Is there cause for concern with these messages?
0
 
GreglanAuthor Commented:
Thanks for your help guys. All issues resolved overnight.
0
 
GreglanAuthor Commented:
The solution gave multiple errors. No response was given back to me regarding these errors. The system eventially fixed itself overnight of the remaining errors.
0
 
ParanormasticCryptographic EngineerCommented:
The KDC cert message would be correct for a 2008 DC, yes.

Search "Kerberos Authentication Template" here for a list of standard DC templates based on OS version:
http://technet.microsoft.com/en-us/library/cc730826%28WS.10%29.aspx
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now