AutoEnrollment Error in Application Log

Posted on 2011-10-17
Last Modified: 2012-05-12

I've inherited a very messy and un-maintained network.

I'm receiving the following error every 8 hours in the Application Log of my Domain Controller:

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

I have googled several articles and most, if not all, deal with Certificate Authority server.  However, I do not have Certificate Authority server installed.

The server is running Windows 2003 SP2 and it is missing only recent Windows Updates.  It is the only Domain Controller.  (I forcibly removed an old DC a few weeks ago which was no longer connected to the network.  A dcpromo may have been run, but it certainly wasn't complete.)

I can find no other related error messages in any other Event Log.  The Event Logs are quite clean, with exception to this error message.

Assistance is greatly appreciated.


Question by:akerrigan
    LVL 14

    Accepted Solution

    Have you checked to see if your Active directory ever had at some point in time a CA?  (perhaps the old DC, or some other server?)

    Here's some help in removing traces of old defunct CAs in Active Directory:

    BTW, you *should* have a CA somewhere.  It doesn't take very much to maintain after installation, and it opens you up to possibilities such as: WPA Enterprise wireless security, IPSEC for VPNs, and others

    Author Comment

    There appears to have never been a CA.


    Author Closing Comment

    Added a Certificate Authority, and the error disappeared.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now