Solved

Unable to renew or get new Domain Controller Certificate from Domain Certificate Authority

Posted on 2010-11-23
9
2,814 Views
Last Modified: 2012-05-10
I have a Windows 2003 Domain Controller that is unable to automatically renew it's Certificate and I cannot request a new certificate.

Windows 2003 Standard Server (32-bit)
DC1 is the Domain Controller with an expired certificate
DC2 is the Certificate Authority for our domain

Every eight hours DC1 reports 'Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x8001011c).  Remote calls are not allowed for this process.' Autoenrollment Event ID 13.

When I try to manually renew or obtain a new certificate on DC1, I also receive the error 'Remote calls are not allowed for this process' from the Certificate Request Wizard.

DC2 is in the same physical location, on the same network segment; it's own certificate is current.  These machines are capable of communicating with each other and successfully synchronize Domain Events.
Their clocks, including date, are syncronized and within the same time zone.
DC2 does not record any events in the Application, System, or Security logs whenever DC1 attempts to obtain a certificate.
DC2 does have the Domain Controller template installed
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34199628
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..
0
 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34199728
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..

All Domain Controllers are members of the "Domain Controllers" AD group and that group is a member of "CERTSVC_DCOM_ACCESS".
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34200273
On DC1 - Open MMC - add snapin for Certificates - local computer - Trusted Root Certification Authorities - Certificates
Make sure the Root CA certificate is installed here, if not then get that from DC2 and copy it over and right click this area to import the root cert.

Also check certtmpl.msc for security permissions to that template for the DC.

Also, check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34200369
>>> Make sure the Root CA certificate is installed

Current, valid certificate for DC2 is showing in the Trusted Root CA Certificates

>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

>>> check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls

Firewalls are disabled.
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34200697
This thread has a number of good suggestions.  Something might click for you.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23069908.html

0
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 300 total points
ID: 34201007
Check this registry key on DC1: HKLM\Software\Microsoft\Ole

Make sure EnableDCOM exists there and the value is set to "Y".  If the key doesn't exist, create it.  If it's set to "N" change it to "Y".  A reboot will be required.  

You might review MS KB929494 for related background info etc.  http://support.microsoft.com/kb/929494
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34207692
>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

It doesn't matter what the domain admins have - it is a computer template so users don't matter.  If this is only Enroll then you need to add Read as well, and if you plan to use autoenrollment you need to check that too
0
 
LVL 19

Assisted Solution

by:Delphineous Silverwing
Delphineous Silverwing earned 0 total points
ID: 34310214
This matter was two-fold:
- DCOM was not enabled on the domain controller.
   Turn it on through DCOMCNFG, reboot the machine and we were able
   to work with the next layer of the issue
- The certificate was expired and cannot be renewed.
   A new key was generated successfully (which didn't work before I enabled DCOM)
0
 
LVL 19

Author Closing Comment

by:Delphineous Silverwing
ID: 34341542
DCOM was part of the equation, an expired certificate and policy not allowing renewal finished the issue.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Time server on domain 3 64
Changing email address in Exchange 2010 2 51
Powershell code to query find desktop PC only 8 37
PowerShell:  foreach where object notmatch? 17 83
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question