Long dead certificate authority. How get re-pointed to new stable CA?
Hello,
I inherited a bit of mess.
My situation is this:
1200 users, 2003 domain running in 2000 mixed mode, multiple sites.
6 domain controllers (4 running Server 2000, 2 running Server 2003 SP2)
2000 DC's reporting this in the event log for months:
The automatic certificate enrollment subsystem could not access local resources needed for enrollment. Enrollment will not be performed. (0x80070005) Access is denied.
2003 DC's reporting this in the event log for months:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
certutil -dump shows me this:
C:\>certutil -dump
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
Name: `CA'
Organizational Unit: `'
Organization: `'
Locality: `'
State: `'
Country/region: `'
Config: `ngbrasus.mydomain.com\CA'
Exchange Certificate: `'
Signature Certificate: `'
Description: `'
Server: `ngbrasus.mydomain.com'
Authority: `CA'
Sanitized Name: `CA'
Short Name: `CA'
Sanitized Short Name: `CA'
Flags: `1'
CertUtil: -dump command completed successfully.
What I know for sure so far:
I've confirmed that the server, ngbrasus, was removed long ago.
I've confirmed that the group "CERTSVC_DCOM_ACCESS" does NOT exist currently.
I've read the following:
http://support.microsoft.com/kb/889250
http://support.microsoft.com/kb/927066
Neither seem to exactly match my circumstances so I'm hesitant on just shotgunning a bunch of solutions.
At this point I'm not seeing any visible ill effect of the missing CA. I'm fully ready to install a new CA and re-point things if needed. If I cannot get any quality answers here I may up cross posting this over at Petri.
Thanks!
I inherited a bit of mess.
My situation is this:
1200 users, 2003 domain running in 2000 mixed mode, multiple sites.
6 domain controllers (4 running Server 2000, 2 running Server 2003 SP2)
2000 DC's reporting this in the event log for months:
The automatic certificate enrollment subsystem could not access local resources needed for enrollment. Enrollment will not be performed. (0x80070005) Access is denied.
2003 DC's reporting this in the event log for months:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
certutil -dump shows me this:
C:\>certutil -dump
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
Name: `CA'
Organizational Unit: `'
Organization: `'
Locality: `'
State: `'
Country/region: `'
Config: `ngbrasus.mydomain.com\CA'
Exchange Certificate: `'
Signature Certificate: `'
Description: `'
Server: `ngbrasus.mydomain.com'
Authority: `CA'
Sanitized Name: `CA'
Short Name: `CA'
Sanitized Short Name: `CA'
Flags: `1'
CertUtil: -dump command completed successfully.
What I know for sure so far:
I've confirmed that the server, ngbrasus, was removed long ago.
I've confirmed that the group "CERTSVC_DCOM_ACCESS" does NOT exist currently.
I've read the following:
http://support.microsoft.com/kb/889250
http://support.microsoft.com/kb/927066
Neither seem to exactly match my circumstances so I'm hesitant on just shotgunning a bunch of solutions.
At this point I'm not seeing any visible ill effect of the missing CA. I'm fully ready to install a new CA and re-point things if needed. If I cannot get any quality answers here I may up cross posting this over at Petri.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Finally got a maint window. Thanks!
ASKER