Avatar of Member_2_6492660_1
Member_2_6492660_1
Flag for United States of America asked on

Event ID 13 16 10006 and 10016 on Windows 2003 DC's

Windows 2003 Server SP2 Enterprise Edition
I have 2 (two) DC's both the same as above
Been running great for a long time

All of a sudden I am getting these errors

On DC1
Event ID 16 AutoEnrollment
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

Event ID 13 AutoEnrollment
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

Event ID 10006 DCOM
DCOM got error "%2147942405" from the computer serv012.our.network.mydomain.com when attempting to
activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}

On DC2  This DC hold all the Roles and Runs CertMGR
Event ID 10016 DCOM
The machine-default permission settings do not grant Remote Activation permission for the COM Server application with CLSID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
 to the user OUR\SERV011$ SID (S-1-5-21-3054588571-1341459584-784128302-3106).  This security permission can be modified using the Component Services administrative tool.


How can I fix this?

Thanks for any help
Windows Server 2003Active Directory

Avatar of undefined
Last Comment
Member_2_6492660_1

8/22/2022 - Mon
becraig

Can you verify if your servers are members of the following group
CERTSRV_DCOM_ACCESS

Please also verify that the correct permissions are on DC

go to the certificate authority manager and go to the properties of your ca go to the security tab and ensure that you allow computers to read and request certificates.
Member_2_6492660_1

ASKER
Following are members of CERTSRV_DCOM_ACCESS

Domain Computers
Domain Controllers
Domain Users

I hope you meant check Certification Authority
The security tab has
Administrators Issue and Manage Certificates and Manage CA
Authenticated Users  Issue and Manage Certificates and Manage CA
Domain Admins Issue and Manage Certificates and Manage CA
Enterprise Admins Issue and Manage Certificates and Manage CA


That's it any thing missing or wrong.

Nothing has changed in a long long time
becraig

Please grant Read & Enroll permissions to  Domain computers.

Once done you can try rebooting your DC it should automatically enroll.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Member_2_6492660_1

ASKER
Thanks for responding

Only permissions I have to select from are

Read
Issue and Manage Certificates
Manage CA
Request Certificates

Am I missing something here?
becraig

Request Certificates - Enroll
Read - Read
Member_2_6492660_1

ASKER
Ok added Read and Request Certificates

Restart Both DC's or just the one with event 13 and 16?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
becraig

Just the one with 13 and 16
Member_2_6492660_1

ASKER
Great thanks will schedule for later have users on now.
Member_2_6492660_1

ASKER
becraig

I was able to restart the DC

after restart the same errors appears event id 13 and 16
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
becraig

Can you look at the event log of the CA.

Let's see what errrors we got when it tried to enroll for a cert.
Member_2_6492660_1

ASKER
Do you mean on the server that is running the CA?

if so getting event id 10016

The machine-default permission settings do not grant Remote Activation permission for the COM Server application with CLSID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
 to the user OUR\SERV011$ SID (S-1-5-21-3054588571-1341459584-784128302-3106).  This security permission can be modified using the Component Services administrative tool.
becraig

That error on technet indicates a resolution:
http://technet.microsoft.com/en-us/library/cc726313%28v=ws.10%29.aspx


I  however still think this looks like an enrollment error, you can give the MS fix a try.

Also what is the state of the certificate services in the service control panel on the CA server ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
becraig

Also just to add additional info what do you see in
c:\windows\system32\CertEnroll.log
Member_2_6492660_1

ASKER
Thanks

That relates to Windows 2008 servers this is Windows 2003

No comexp.msc file on my system


No REvoked Certificates
Issued Certificates are all green
No Pending Certificates
No Failed Certificates
ASKER CERTIFIED SOLUTION
becraig

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Member_2_6492660_1

ASKER
Thanks

The setting was default so I changed it per the article above.

Have to bounce both servers now

But not till the weekend
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
becraig

Ok keep me posted
Member_2_6492660_1

ASKER
Did not have to restart the servers looks like the change fixed the problems over 24 hours no messages.

MS sent an update out today need to restart servers will do this weekend.

thanks for your help