?
Solved

Unable to renew or get new Domain Controller Certificate from Domain Certificate Authority

Posted on 2010-11-23
9
Medium Priority
?
3,067 Views
Last Modified: 2012-05-10
I have a Windows 2003 Domain Controller that is unable to automatically renew it's Certificate and I cannot request a new certificate.

Windows 2003 Standard Server (32-bit)
DC1 is the Domain Controller with an expired certificate
DC2 is the Certificate Authority for our domain

Every eight hours DC1 reports 'Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x8001011c).  Remote calls are not allowed for this process.' Autoenrollment Event ID 13.

When I try to manually renew or obtain a new certificate on DC1, I also receive the error 'Remote calls are not allowed for this process' from the Certificate Request Wizard.

DC2 is in the same physical location, on the same network segment; it's own certificate is current.  These machines are capable of communicating with each other and successfully synchronize Domain Events.
Their clocks, including date, are syncronized and within the same time zone.
DC2 does not record any events in the Application, System, or Security logs whenever DC1 attempts to obtain a certificate.
DC2 does have the Domain Controller template installed
0
Comment
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34199628
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..
0
 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34199728
Make sure both DC1 and DC2 are members of the CERTSVC_DCOM_ACCESS group (or better, make sure both are members of DOMAIN CONTROLLERS and that group is itself a member of the CERTSVC_DCOM_ACCESS group)..

All Domain Controllers are members of the "Domain Controllers" AD group and that group is a member of "CERTSVC_DCOM_ACCESS".
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34200273
On DC1 - Open MMC - add snapin for Certificates - local computer - Trusted Root Certification Authorities - Certificates
Make sure the Root CA certificate is installed here, if not then get that from DC2 and copy it over and right click this area to import the root cert.

Also check certtmpl.msc for security permissions to that template for the DC.

Also, check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 19

Author Comment

by:Delphineous Silverwing
ID: 34200369
>>> Make sure the Root CA certificate is installed

Current, valid certificate for DC2 is showing in the Trusted Root CA Certificates

>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

>>> check to make sure you are not blocking DCOM traffic between these servers on your software or hardware firewalls

Firewalls are disabled.
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 34200697
This thread has a number of good suggestions.  Something might click for you.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23069908.html

0
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 1200 total points
ID: 34201007
Check this registry key on DC1: HKLM\Software\Microsoft\Ole

Make sure EnableDCOM exists there and the value is set to "Y".  If the key doesn't exist, create it.  If it's set to "N" change it to "Y".  A reboot will be required.  

You might review MS KB929494 for related background info etc.  http://support.microsoft.com/kb/929494
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34207692
>>> check certtmpl.msc for security permissions to that template for the DC.

Domain Controllers have the default of "Enroll" within the DC Template.  Domain Admins and Enterprise Admins have Read/Write/Enroll

It doesn't matter what the domain admins have - it is a computer template so users don't matter.  If this is only Enroll then you need to add Read as well, and if you plan to use autoenrollment you need to check that too
0
 
LVL 19

Assisted Solution

by:Delphineous Silverwing
Delphineous Silverwing earned 0 total points
ID: 34310214
This matter was two-fold:
- DCOM was not enabled on the domain controller.
   Turn it on through DCOMCNFG, reboot the machine and we were able
   to work with the next layer of the issue
- The certificate was expired and cannot be renewed.
   A new key was generated successfully (which didn't work before I enabled DCOM)
0
 
LVL 19

Author Closing Comment

by:Delphineous Silverwing
ID: 34341542
DCOM was part of the equation, an expired certificate and policy not allowing renewal finished the issue.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question