Event ID 13  16 10006 and 10016 on Windows 2003 DC's

Thomas Grassi
Thomas Grassi used Ask the Experts™
on
Windows 2003 Server SP2 Enterprise Edition
I have 2 (two) DC's both the same as above
Been running great for a long time

All of a sudden I am getting these errors

On DC1
Event ID 16 AutoEnrollment
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

Event ID 13 AutoEnrollment
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

Event ID 10006 DCOM
DCOM got error "%2147942405" from the computer serv012.our.network.mydomain.com when attempting to
activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}

On DC2  This DC hold all the Roles and Runs CertMGR
Event ID 10016 DCOM
The machine-default permission settings do not grant Remote Activation permission for the COM Server application with CLSID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
 to the user OUR\SERV011$ SID (S-1-5-21-3054588571-1341459584-784128302-3106).  This security permission can be modified using the Component Services administrative tool.


How can I fix this?

Thanks for any help
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Can you verify if your servers are members of the following group
CERTSRV_DCOM_ACCESS

Please also verify that the correct permissions are on DC

go to the certificate authority manager and go to the properties of your ca go to the security tab and ensure that you allow computers to read and request certificates.
Thomas GrassiSystems Administrator

Author

Commented:
Following are members of CERTSRV_DCOM_ACCESS

Domain Computers
Domain Controllers
Domain Users

I hope you meant check Certification Authority
The security tab has
Administrators Issue and Manage Certificates and Manage CA
Authenticated Users  Issue and Manage Certificates and Manage CA
Domain Admins Issue and Manage Certificates and Manage CA
Enterprise Admins Issue and Manage Certificates and Manage CA


That's it any thing missing or wrong.

Nothing has changed in a long long time
Please grant Read & Enroll permissions to  Domain computers.

Once done you can try rebooting your DC it should automatically enroll.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Thomas GrassiSystems Administrator

Author

Commented:
Thanks for responding

Only permissions I have to select from are

Read
Issue and Manage Certificates
Manage CA
Request Certificates

Am I missing something here?
Request Certificates - Enroll
Read - Read
Thomas GrassiSystems Administrator

Author

Commented:
Ok added Read and Request Certificates

Restart Both DC's or just the one with event 13 and 16?
Just the one with 13 and 16
Thomas GrassiSystems Administrator

Author

Commented:
Great thanks will schedule for later have users on now.
Thomas GrassiSystems Administrator

Author

Commented:
becraig

I was able to restart the DC

after restart the same errors appears event id 13 and 16
Can you look at the event log of the CA.

Let's see what errrors we got when it tried to enroll for a cert.
Thomas GrassiSystems Administrator

Author

Commented:
Do you mean on the server that is running the CA?

if so getting event id 10016

The machine-default permission settings do not grant Remote Activation permission for the COM Server application with CLSID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
 to the user OUR\SERV011$ SID (S-1-5-21-3054588571-1341459584-784128302-3106).  This security permission can be modified using the Component Services administrative tool.
That error on technet indicates a resolution:
http://technet.microsoft.com/en-us/library/cc726313%28v=ws.10%29.aspx


I  however still think this looks like an enrollment error, you can give the MS fix a try.

Also what is the state of the certificate services in the service control panel on the CA server ?
Also just to add additional info what do you see in
c:\windows\system32\CertEnroll.log
Thomas GrassiSystems Administrator

Author

Commented:
Thanks

That relates to Windows 2008 servers this is Windows 2003

No comexp.msc file on my system


No REvoked Certificates
Issued Certificates are all green
No Pending Certificates
No Failed Certificates
I came across this on a previous question on here:
http://www.experts-exchange.com/Security/Misc/Q_25097848.html

Did you verify the state of the service on the CA  ?
Thomas GrassiSystems Administrator

Author

Commented:
Thanks

The setting was default so I changed it per the article above.

Have to bounce both servers now

But not till the weekend
Ok keep me posted
Thomas GrassiSystems Administrator

Author

Commented:
Did not have to restart the servers looks like the change fixed the problems over 24 hours no messages.

MS sent an update out today need to restart servers will do this weekend.

thanks for your help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial