Services not automatically starting: Auto-enrollment and Certificate Authority

Hi,

I am working on a site running Windows 2003 domain controllers and Windows XP clients.  Currently services such as MSSQL and Lotus Domino are not starting automatically after scheduled reboots.  In addition, I am unable to successfully prep AD for 2008 DCs.  All domain controllers only have a single NIC active (rest are disabled) and there are no subdomains.

There are currently three domain controllers each at different sites:
dc1 Server 2003 R2 Site1
dc2 Server 2003 R1 Site2
dc3 Server 2003 R2 Site3

net stop netlogon && net start netlogon does not solve the problem.  dcdiag /fix has no effect.  The network card is set to register its interface in DNS.  It is pointing to itself for DNS.  Its host records as well as the _msdcs, _sites, _tcp, _udp, DomainDnsZones appear to be correct and do recreate themselves if i delete them and restart netlogon.  It appears as if it can't find itself in DNS, or can't fix the records for one reason or another.

When investigating the logs it appears to be related to auto-enrollment and the certificate authority.

On the Certificate Authority in Failed Requests (there is one request about every 9 hours:

Request Status Code:
DNS name does not exist. 0x800725f2 (WIN32: 9714)
Request Disposition Message:
Denied by Policy Module
Requester Name:
DOMAINNT\DC1$

The following is recorded in the event logs:

On Windows XP Clients:

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      15
Date:            4/10/2010
Time:            4:37:51 PM
User:            N/A
Computer:      WK3541
Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


On Certificate Authority (Domain Controller, dc1)

Event Type:      Warning
Event Source:      CertSvc
Event Category:      None
Event ID:      53
Date:            4/19/2010
Time:            10:50:44 AM
User:            N/A
Computer:      dc1
Description:
Certificate Services denied request 5578 because DNS name does not exist. 0x800725f2 (WIN32: 9714).  The request was for DOMAINNT\dc1$.  Additional information: Denied by Policy Module

Event Type:      Warning
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      17
Date:            4/19/2010
Time:            10:50:44 AM
User:            N/A
Computer:      dc1
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate from certificate authority DOMAINNT on dc1.domainnt.com. (0x800725f2).  DNS name does not exist.
  Another certificate authority will be contacted.

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Date:            4/19/2010
Time:            10:50:44 AM
User:            N/A
Computer:      dc1
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800725f2).  DNS name does not exist.


On Domain Controller: (Portions cropped out, full version is attached)

.......................................

    Computer Name: dc1
    DNS Host Name: dc1.domainnt.com.
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 6 Model 15 Stepping 11, GenuineIntel


        Host Name. . . . . . . . . : dc1
        IP Address . . . . . . . . : 192.168.1.6
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.34
        Primary WINS Server. . . . : 192.168.1.6
        Dns Servers. . . . . . . . : 192.168.1.6

DNS test . . . . . . . . . . . . . : Failed
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.site1._sites.dc._msdcs.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.site1._sites.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kerberos._udp.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.site1._sites.gc._msdcs.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.site1._sites.domainnt.com. re-registeration on DNS server '192.168.1.6' failed.
DNS Error code: 0x0000000E
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server '192.168.1.6'.
    [FATAL] No DNS servers have the DNS records for this DC registered.

Any ideas would be much appreciated.
netdiag-fix.txt
PraesesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
By the sound of it, the CA is on one of the DCs, if not let me know as this will change slightly.  Open up the Domain Local Security Group called "CERTSRV_DCOM_ACCESS" and add DOMAINNT\Domain Controllers to that group.

On each DC (start with the one that has the CA on it first):
open cmd
certutil -dcinfo deletebad
certutil -pulse
reboot the DC
when DC comes back up, repeat on the next DC.
0
PraesesAuthor Commented:
I have performed the steps on all the DCs listed by Paranormastic and the problem persists.  After running certutil-dcinfo deletebad the following is displayed at the bottom:

** KDC Certificates for DC DC1
0 KDC certs for DC1
No KDC Certificate in MY store
309.352.0: 0x80092004 (-2146885628)
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.
301.3160.0: 0x80092004 (-2146885628)

The full output is attached.  I have not been able to find much in the way of solving this.
deletebad.txt
0
ParanormasticCryptographic EngineerCommented:
Make sure your CA has the correct templates issued to it so that it can issue the correct kind of certificates.  Refer to the table about 2/5 of the way down in this link:
http://technet.microsoft.com/en-us/library/cc730826%28WS.10%29.aspx

The needed templates are created by default.  To check your CA, open the Certification Authority MMC (CertSrv.msc) and retarget to the CA (or run locally on the CA box) - expand CAName - select Certificate Templates.  If the needed templates are not listed in the right pane, then right click the folder - New - Certificate Template to issue... and select the appropriate template.  Wait about 15 minutes or however long it takes for your AD to replicate, then check again and repeat the above steps if necessary.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

PraesesAuthor Commented:
From my understanding as DC1 is the Certificate Authority for the domain, and the remaining domain controllers are Server 2003, the only required template is Domain Controller.  Currently the following is listed and I have not made any changes::

EFS Recovery Agent
Basic EFS
Domain Controller
Web Server
Computer
User
Subordinate Certification Authority
Administrator

I have added a 2008 R2 server (KEY) running Certificate Services (no other roles) with the Kerberos Authentication template to the domain  to see if it would aid in troubleshooting.  It displays the same errors as DC1.  I am continuing to look for solutions.
0
PraesesAuthor Commented:
This may be related to a DNS issue as the SPNs are set for:
DC1.domainnt.com

While in a GPO applied to the DC the following is set:
Computer Configuration->Administrative Templates->Network/DNS Client->Primary DNS Suffix:
Enter a primary DNS suffix: domainnt.com.

Including the trailing period.  This was reflected by setspn -l dc1 and the warnings are presented in netdiag.

I have made the group policy changes and scheduled a reboot for tonight.  I will post back following.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PraesesAuthor Commented:
The certificate authority errors have stopped since the reboot and auto-enrollment is showing positive results in the logs.  MSSQL Server is now starting automatically along with most (although not all) other services.  The remaining ones may require specific attention.  I believe this is now resolved.

Thank you Paranormastic for your assistance, not only in this thread but also your useful posts in similar certificate related threads.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.