Avatar of DarrinZuroff
Flag for United States of America asked on

Server 2003 Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

I have two Windows Server 2003 SP2 domain controllers, and on one of them I am seeing "Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied." repeated over and over.

I have seen reference to adding all domain controllers to the CERTSVC_DCOM_ACCESS security group however that group does not exist.

I have also seen references to making changes using the certificate authority management console however when I try to launch it I get the message "Cannot Manage Certificate Services.  The specified service does not exist as an installed service."

I happened to check my other domain controller and it does not have the service installed either.

What can I do to fix this problem?
Windows Server 2003Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon

Have you seen this MS KB re windows 2003 SP1:

Part of the issue is I do not have certificate authority installed on any of my servers which I also understand now is why the CERTSVC_DCOM_ACCESS group does not exist.  Should I install the CA on one of my servers?

Is the MSDTC service running on the DC?
If so restart it.

One could install CA it allow for additional security if required such as SSL for IIS.
See PKI information MS web site:
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

I just restarted the MSDTC service but I will have to wait to see if I still receive the error since it is logged once every 8 hours.  

I guess my main focus right now is to determine why the error is being logged and how to fix the problem so I am not going to install CA if it is not required.

I take that back.  I found out I can force the auto enrollment by running gpupdate /force, however I am still receiving the error after restarting the MSDTC service.

Is the DC group a member of the CERTSVC_DCOM_ACCESS group?

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

As mentioned above that group does not exist because I do not currently have a CA installed.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

I resolved the issue on my own by removing the CA from my domain.