Solved

Unable to renew or get new Domain Controller Certificate from Domain Certificate Authority

Posted on 2010-11-23
9
2,873 Views
Last Modified: 2012-05-10
I have a Windows 2003 Domain Controller that is unable to automatically renew it's Certificate and I cannot request a new certificate.

Windows 2003 Standard Server (32-bit)
DC1 is the Domain Controller with an expired certificate
DC2 is the Certificate Authority for our domain

Every eight hours DC1 reports 'Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x8001011c).  Remote calls are not allowed for this process.' Autoenrollment Event ID 13.

When I try to manually renew or obtain a new certificate on DC1, I also receive the error 'Remote calls are not allowed for this process' from the Certificate Request Wizard.

DC2 is in the same physical location, on the same network segment; it's own certificate is current.  These machines are capable of communicating with each other and successfully synchronize Domain Events.
Their clocks, including date, are syncronized and within the same time zone.
DC2 does not record any events in the Application, System, or Security logs whenever DC1 attempts to obtain a certificate.
DC2 does have the Domain Controller template installed
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34199628
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..
0
 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34199728
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..

All Domain Controllers are members of the "Domain Controllers" AD group and that group is a member of "CERTSVC_DCOM_ACCESS".
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34200273
On DC1 - Open MMC - add snapin for Certificates - local computer - Trusted Root Certification Authorities - Certificates
Make sure the Root CA certificate is installed here, if not then get that from DC2 and copy it over and right click this area to import the root cert.

Also check certtmpl.msc for security permissions to that template for the DC.

Also, check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34200369
>>> Make sure the Root CA certificate is installed

Current, valid certificate for DC2 is showing in the Trusted Root CA Certificates

>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

>>> check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls

Firewalls are disabled.
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34200697
This thread has a number of good suggestions.  Something might click for you.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23069908.html

0
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 300 total points
ID: 34201007
Check this registry key on DC1: HKLM\Software\Microsoft\Ole

Make sure EnableDCOM exists there and the value is set to "Y".  If the key doesn't exist, create it.  If it's set to "N" change it to "Y".  A reboot will be required.  

You might review MS KB929494 for related background info etc.  http://support.microsoft.com/kb/929494
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34207692
>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

It doesn't matter what the domain admins have - it is a computer template so users don't matter.  If this is only Enroll then you need to add Read as well, and if you plan to use autoenrollment you need to check that too
0
 
LVL 19

Assisted Solution

by:Delphineous Silverwing
Delphineous Silverwing earned 0 total points
ID: 34310214
This matter was two-fold:
- DCOM was not enabled on the domain controller.
   Turn it on through DCOMCNFG, reboot the machine and we were able
   to work with the next layer of the issue
- The certificate was expired and cannot be renewed.
   A new key was generated successfully (which didn't work before I enabled DCOM)
0
 
LVL 19

Author Closing Comment

by:Delphineous Silverwing
ID: 34341542
DCOM was part of the equation, an expired certificate and policy not allowing renewal finished the issue.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question