Server 2003 Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

DarrinZuroff
DarrinZuroff used Ask the Experts™
on
I have two Windows Server 2003 SP2 domain controllers, and on one of them I am seeing "Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied." repeated over and over.

I have seen reference to adding all domain controllers to the CERTSVC_DCOM_ACCESS security group however that group does not exist.

I have also seen references to making changes using the certificate authority management console however when I try to launch it I get the message "Cannot Manage Certificate Services.  The specified service does not exist as an installed service."

I happened to check my other domain controller and it does not have the service installed either.

What can I do to fix this problem?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Have you seen this MS KB re windows 2003 SP1:
http://support.microsoft.com/kb/903220

Author

Commented:
Part of the issue is I do not have certificate authority installed on any of my servers which I also understand now is why the CERTSVC_DCOM_ACCESS group does not exist.  Should I install the CA on one of my servers?

Commented:
Is the MSDTC service running on the DC?
If so restart it.

One could install CA it allow for additional security if required such as SSL for IIS.
See PKI information MS web site:
http://technet.microsoft.com/en-us/library/cc776679%28WS.10%29.aspx 

Author

Commented:
I just restarted the MSDTC service but I will have to wait to see if I still receive the error since it is logged once every 8 hours.  

I guess my main focus right now is to determine why the error is being logged and how to fix the problem so I am not going to install CA if it is not required.

Author

Commented:
I take that back.  I found out I can force the auto enrollment by running gpupdate /force, however I am still receiving the error after restarting the MSDTC service.

Commented:
Is the DC group a member of the CERTSVC_DCOM_ACCESS group?

See:http://www.minasi.com/forum/topic.asp?TOPIC_ID=14769

Author

Commented:
As mentioned above that group does not exist because I do not currently have a CA installed.
I found out there was a CA installed at one time and was not properly removed.  I followed the recommended steps to remove the CA from my domain suggested by Microsoft and resolved the issue.

Author

Commented:
I resolved the issue on my own by removing the CA from my domain.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial