Avatar of DarrinZuroff
DarrinZuroff
Flag for United States of America asked on

Server 2003 Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

I have two Windows Server 2003 SP2 domain controllers, and on one of them I am seeing "Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied." repeated over and over.

I have seen reference to adding all domain controllers to the CERTSVC_DCOM_ACCESS security group however that group does not exist.

I have also seen references to making changes using the certificate authority management console however when I try to launch it I get the message "Cannot Manage Certificate Services.  The specified service does not exist as an installed service."

I happened to check my other domain controller and it does not have the service installed either.

What can I do to fix this problem?
Windows Server 2003Active Directory

Avatar of undefined
Last Comment
DarrinZuroff

8/22/2022 - Mon
65td

Have you seen this MS KB re windows 2003 SP1:
http://support.microsoft.com/kb/903220
DarrinZuroff

ASKER
Part of the issue is I do not have certificate authority installed on any of my servers which I also understand now is why the CERTSVC_DCOM_ACCESS group does not exist.  Should I install the CA on one of my servers?
65td

Is the MSDTC service running on the DC?
If so restart it.

One could install CA it allow for additional security if required such as SSL for IIS.
See PKI information MS web site:
http://technet.microsoft.com/en-us/library/cc776679%28WS.10%29.aspx 
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
DarrinZuroff

ASKER
I just restarted the MSDTC service but I will have to wait to see if I still receive the error since it is logged once every 8 hours.  

I guess my main focus right now is to determine why the error is being logged and how to fix the problem so I am not going to install CA if it is not required.
DarrinZuroff

ASKER
I take that back.  I found out I can force the auto enrollment by running gpupdate /force, however I am still receiving the error after restarting the MSDTC service.
65td

Is the DC group a member of the CERTSVC_DCOM_ACCESS group?

See:http://www.minasi.com/forum/topic.asp?TOPIC_ID=14769
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
DarrinZuroff

ASKER
As mentioned above that group does not exist because I do not currently have a CA installed.
ASKER CERTIFIED SOLUTION
DarrinZuroff

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
DarrinZuroff

ASKER
I resolved the issue on my own by removing the CA from my domain.