The error is coming up on a domain controller, windows server 2008 R2. File and print server, also houses SQL databases.
the error has come out of the blue. I cannot trace the date it started. the error repeats every 10 minutes. Upon a server restart, the application logs are clear, but after 12-16 hours they start to appear and repeat every 10 minutes.
There are 2 errors.
1. source: certificationAuthority
error: Active Directory Certificate Services could not publish a base CRL for key 0 to the following location c:\windows\system32\certsr
crl. Access is denied. 80070005 (WIN32:5)
2. source: certificationAuthority
error: Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location c:\windows\system32\certsr
crl+. Access is denied. 80070005 (WIN32:5)
My investigations led me to the following link:
I followed the advice to point 1 "Confirm Active Directory CRL distribution point permissions"
And I found that the AIA directory has the "cert publishers" group in security which has write permission (full control) to the directory. The domain server is a member of the "cert publishers" group. there for I am concluding as the tutorial says that "the CA has Write permission to this location."
it is at this point that I stopped proceeding with the Technet post. As I found the following post on a technet forum:
"You are attempting to write to the CertEnroll share which is read only by default.
You must change the NTFS/share permissions to allow the CA computer account to write to the share / source folder (C:\windows\system32\certs
oll). If this is a share on the local file system, then do not use the share path"
it led me to check the permissions on the certenroll folder. There are no security permissions on this folder and it has a padlock on it. Therefore I cant see the CA computer account having write access or even read. I was tempted to give the "cert publishers" group read/write access to the certenroll folder thereby giving the CA computer access through that group... But before doing so I wanted to run this past the experts here to ensure it is not wrong to do so? or whether I am missing something??
how should I proceed with resolving this error?
thanks for your help