Win Server 2008 R2 (domain controller) event id 66 & 65 Active Directory Certificate Services could not publish a CRL for key 0 to the following location

The error is coming up on a domain controller, windows server 2008 R2. File and print server, also houses SQL databases.

the error has come out of the blue. I cannot trace the date it started. the error repeats every 10 minutes. Upon a server restart, the application logs are clear, but after 12-16 hours they start to appear and repeat every 10 minutes.

There are 2 errors.
1. source: certificationAuthority
id: 65
error: Active Directory Certificate Services could not publish a base CRL for key 0 to the following location c:\windows\system32\certsrv\certenroll\mydomain-FQDM-CA.crl. Access is denied. 80070005 (WIN32:5)

2. source: certificationAuthority
id: 66
error: Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location c:\windows\system32\certsrv\certenroll\mydomain-FQDM-CA.crl+. Access is denied. 80070005 (WIN32:5)

My investigations led me to the following link:
https://technet.microsoft.com/en-us/library/dd299801%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

I followed the advice to point 1 "Confirm Active Directory CRL distribution point permissions"

And I found that the AIA directory has the "cert publishers" group in security which has write permission (full control) to the directory. The domain server is a member of the "cert publishers" group. there for I am concluding as the tutorial says that "the CA has Write permission to this location."

it is at this point that I stopped proceeding with the Technet post. As I found the following post on a technet forum:

"You are attempting to write to the CertEnroll share which is read only by default.
You must change the NTFS/share permissions to allow the CA computer account to write to the share / source folder (C:\windows\system32\certsrv\certenroll). If this is a share on the local file system, then do not use the share path"

it led me to check the permissions on the certenroll folder. There are no security permissions on this folder and it has a padlock on it. Therefore I cant see the CA computer account having write access or even read. I was tempted to give the "cert publishers" group read/write access to the certenroll folder thereby giving the CA computer access through that group... But before doing so I wanted to run this past the experts here to ensure it is not wrong to do so? or whether I am missing something??

how should I proceed with resolving this error?

thanks for your help
sfabsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
The power of using defaults breaks most PKI installations.
C:\windows\system32\certsrv\certenroll residing in C:\Windows is a protected area by default so you have to change the permissions of the certsrv folder and below to allow read/write/modify since by default only TrustedInstaller has r/w/m permissions
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Refer to link below as it is similar to issue mentioned there:

https://technet.microsoft.com/en-us/library/cc726342(v=ws.10).aspx
0
MaheshArchitectCommented:
have you installed enterprise CA role on DC?

If you have installed with default options, it always share certenroll folder and publish CRL and AIA points there and it will remain accessible read only to all network resources and full control to CA server account

If you have altered this folder permissions, it can cause issues

The best way to resolve this issue is to just uninstall CA role and reinstall CA role, this will definitely fix the issue
https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
Steps: refer steps in above article
Backing up a CA database and private key
Backing up CA registry settings
Removing the CA role service from the server
Reboot the server once
Reinstall CA role with existing key pair option on same server
Restore CA database

And you should be fine, your existing certificates will continue to work as well
0
sfabsAuthor Commented:
This is the solution but left me still asking questions to myself... I could have fired the questions across Experts Exchange but worked them out for myself so am adding them here.
I had a functional domain server at another site so compared the folder permissions and found them to differ. (I knew before I inherited this server that someone had messed around with permissions on the C drive.

I copied the local folder security permissions (as these differed on the 2 servers) from the functioning domain controller to my non functioning domain controller.

The error stopped from there on in.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.