• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1011
  • Last Modified:

Domain Controllers getting Event ID 13: Autoenrollment

I am running on a 2003 AD Forest & Domain w/ three DC's
One of the DC's is a CA for our WAP2 Enterprise EAP authentication
The other two are getting Event Id 13:
Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      13
Date:            10/31/2011
Time:            5:37:15 AM
User:            N/A
Computer:      AD02
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have tried suggestions from both EVENTID.NET and Microsoft.com KB's, but none of these seem to resolve the issue.
Here is what I did so far:
1: Add both DC's the CERTSVC_DCOM_ACCESS (but have not rebooted the servers since I did so)
2: Modified the security permission to the "\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA" by removing the everyone group and adding the System group
3: Ran certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG and received this error
C:\>certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
4: The final piece of info that I can give you is that the RSA folder contains hundreds of files that match the time of the raised events in Event Viewer.
0
yo_bee
Asked:
yo_bee
  • 5
  • 4
3 Solutions
 
ShmoidCommented:
On your CA, check the Domain Controller template to be sure the DC's have read, enroll and autoenroll permissions.  
0
 
yo_beeDirector of ITAuthor Commented:
When I right click the Template all I see is:
 CA_IMAGE
0
 
ShmoidCommented:
Sorry, I should have been more specific. You will need to launch the Certificate Template snap-in, not the Certificate Authority snap-in that shows installed templates. On your CA click START | Run and enter "certtmpl.msc" There you will be able to check the permissions.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
yo_beeDirector of ITAuthor Commented:
Ok I just made this change.  Is that correct?

 CA Security setting
0
 
ShmoidCommented:
Yes, that looks correct. Was read the only change needed? If so, that may not have been the problem. If you are still getting the error the next thing to check is that the DC's are members of the group. If they are not add them. If that does not work check connectivity from one of the failing DC's to the CA.
0
 
yo_beeDirector of ITAuthor Commented:
I added them to the CERTSVC_DCOM_ACCESS  prior to posting this question.
I will know more tomorrow when I check the logs.

keeping my fingers crossed.

0
 
ShmoidCommented:
I missed something in your original post. You will definitely need to reboot for the group changes to take effect.
0
 
yo_beeDirector of ITAuthor Commented:
Ok.
I will do that this evening.
0
 
yo_beeDirector of ITAuthor Commented:
Thanks so much.
I was able to reboot the Seattle DC and the event log shows a successful AutoEnrollment.

I am surprised that there were not more responses.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now