Solved

Unable to renew or get new Domain Controller Certificate from Domain Certificate Authority

Posted on 2010-11-23
9
2,785 Views
Last Modified: 2012-05-10
I have a Windows 2003 Domain Controller that is unable to automatically renew it's Certificate and I cannot request a new certificate.

Windows 2003 Standard Server (32-bit)
DC1 is the Domain Controller with an expired certificate
DC2 is the Certificate Authority for our domain

Every eight hours DC1 reports 'Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x8001011c).  Remote calls are not allowed for this process.' Autoenrollment Event ID 13.

When I try to manually renew or obtain a new certificate on DC1, I also receive the error 'Remote calls are not allowed for this process' from the Certificate Request Wizard.

DC2 is in the same physical location, on the same network segment; it's own certificate is current.  These machines are capable of communicating with each other and successfully synchronize Domain Events.
Their clocks, including date, are syncronized and within the same time zone.
DC2 does not record any events in the Application, System, or Security logs whenever DC1 attempts to obtain a certificate.
DC2 does have the Domain Controller template installed
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34199628
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..
0
 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34199728
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..

All Domain Controllers are members of the "Domain Controllers" AD group and that group is a member of "CERTSVC_DCOM_ACCESS".
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34200273
On DC1 - Open MMC - add snapin for Certificates - local computer - Trusted Root Certification Authorities - Certificates
Make sure the Root CA certificate is installed here, if not then get that from DC2 and copy it over and right click this area to import the root cert.

Also check certtmpl.msc for security permissions to that template for the DC.

Also, check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34200369
>>> Make sure the Root CA certificate is installed

Current, valid certificate for DC2 is showing in the Trusted Root CA Certificates

>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

>>> check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls

Firewalls are disabled.
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34200697
This thread has a number of good suggestions.  Something might click for you.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23069908.html

0
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 300 total points
ID: 34201007
Check this registry key on DC1: HKLM\Software\Microsoft\Ole

Make sure EnableDCOM exists there and the value is set to "Y".  If the key doesn't exist, create it.  If it's set to "N" change it to "Y".  A reboot will be required.  

You might review MS KB929494 for related background info etc.  http://support.microsoft.com/kb/929494
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34207692
>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

It doesn't matter what the domain admins have - it is a computer template so users don't matter.  If this is only Enroll then you need to add Read as well, and if you plan to use autoenrollment you need to check that too
0
 
LVL 19

Assisted Solution

by:Delphineous Silverwing
Delphineous Silverwing earned 0 total points
ID: 34310214
This matter was two-fold:
- DCOM was not enabled on the domain controller.
   Turn it on through DCOMCNFG, reboot the machine and we were able
   to work with the next layer of the issue
- The certificate was expired and cannot be renewed.
   A new key was generated successfully (which didn't work before I enabled DCOM)
0
 
LVL 19

Author Closing Comment

by:Delphineous Silverwing
ID: 34341542
DCOM was part of the equation, an expired certificate and policy not allowing renewal finished the issue.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question