Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to renew or get new Domain Controller Certificate from Domain Certificate Authority

Posted on 2010-11-23
9
Medium Priority
?
3,013 Views
Last Modified: 2012-05-10
I have a Windows 2003 Domain Controller that is unable to automatically renew it's Certificate and I cannot request a new certificate.

Windows 2003 Standard Server (32-bit)
DC1 is the Domain Controller with an expired certificate
DC2 is the Certificate Authority for our domain

Every eight hours DC1 reports 'Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x8001011c).  Remote calls are not allowed for this process.' Autoenrollment Event ID 13.

When I try to manually renew or obtain a new certificate on DC1, I also receive the error 'Remote calls are not allowed for this process' from the Certificate Request Wizard.

DC2 is in the same physical location, on the same network segment; it's own certificate is current.  These machines are capable of communicating with each other and successfully synchronize Domain Events.
Their clocks, including date, are syncronized and within the same time zone.
DC2 does not record any events in the Application, System, or Security logs whenever DC1 attempts to obtain a certificate.
DC2 does have the Domain Controller template installed
0
Comment
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34199628
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..
0
 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34199728
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..

All Domain Controllers are members of the "Domain Controllers" AD group and that group is a member of "CERTSVC_DCOM_ACCESS".
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34200273
On DC1 - Open MMC - add snapin for Certificates - local computer - Trusted Root Certification Authorities - Certificates
Make sure the Root CA certificate is installed here, if not then get that from DC2 and copy it over and right click this area to import the root cert.

Also check certtmpl.msc for security permissions to that template for the DC.

Also, check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34200369
>>> Make sure the Root CA certificate is installed

Current, valid certificate for DC2 is showing in the Trusted Root CA Certificates

>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

>>> check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls

Firewalls are disabled.
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34200697
This thread has a number of good suggestions.  Something might click for you.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23069908.html

0
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 1200 total points
ID: 34201007
Check this registry key on DC1: HKLM\Software\Microsoft\Ole

Make sure EnableDCOM exists there and the value is set to "Y".  If the key doesn't exist, create it.  If it's set to "N" change it to "Y".  A reboot will be required.  

You might review MS KB929494 for related background info etc.  http://support.microsoft.com/kb/929494
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34207692
>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

It doesn't matter what the domain admins have - it is a computer template so users don't matter.  If this is only Enroll then you need to add Read as well, and if you plan to use autoenrollment you need to check that too
0
 
LVL 19

Assisted Solution

by:Delphineous Silverwing
Delphineous Silverwing earned 0 total points
ID: 34310214
This matter was two-fold:
- DCOM was not enabled on the domain controller.
   Turn it on through DCOMCNFG, reboot the machine and we were able
   to work with the next layer of the issue
- The certificate was expired and cannot be renewed.
   A new key was generated successfully (which didn't work before I enabled DCOM)
0
 
LVL 19

Author Closing Comment

by:Delphineous Silverwing
ID: 34341542
DCOM was part of the equation, an expired certificate and policy not allowing renewal finished the issue.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question