Autoenrollment Error Logged on Second W2K3 SP1 Domain Controller

From: "Neil Hobbs" <neil.hobbs@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Jul 2005 17:15:58 +0100

Hi,

I am posting this in the hope that somebody will be able assist me with an
issue that I am experiencing with the 'Autoenrollment' of computer
certificates from an Enterprise Root CA, which is located in a single
Windows Server 2003 domain (Forest Root domain). The domain has been
configured to the 'Windows Server 2003' functional level and the forest is
configured to the 'Windows Server 2003' functional level

I have two Windows Server 2003 SP1 domain controllers which are located in a
Windows Server 2003 domain/forest, both are configured as global catalog
servers. The first server in the forest, is is running an 'Enterprise
Certificate Authority' and holds the 'Schema Master' and 'Domain Naming
Master' roles. The second domain controller/global catalog server is
running Exchange Server 2003 SP1 and holds the 'RID Master', 'PDC Emulator'
and 'Infrastructure Master' roles and whenever the server boots or when the
domain security policy is applied, the following entry is logged in the
event viewer:

Source: AutoEnrollment
Event ID: 13

Automatic certificate enrollment for the local system failed to enroll for a
Domain Controller certificate (0x80070005). Access is denied

I have configured 'Autoenrollment' within the 'Domain Security Policy' and
enabled the following options:

Enroll certificates automatically

Renew expired certificates, update pending certificates and remove revoked
certificates

Update certificates that use certificate templates

The Certificate Authority is installed with the default configuration and
all other domain members - servers and the other domain controller are able
to successfully receive a certificate.

I have reviewed a few support articles, but I can't get my head around what
is happening. Has anyone else experienced this behavior?

Many thanks in advance...

.

Follow-Ups:
- Re: Autoenrollment Error Logged on Second W2K3 SP1 Domain Controller
  - From: James Risto

Prev by Date: Re: users home folder maping
Next by Date: Everyone can change password in 2003
Previous by thread: How do I find what IP or Computer name the user is logged onto by
Next by thread: Re: Autoenrollment Error Logged on Second W2K3 SP1 Domain Controller
Index(es):
- Date
- Thread

Relevant Pages

Re: Auto-Enrollment of Certificates
... The adminpak is available on your Windows Server 2003 CD. ... how to install on various versions. ... you can use an enterprise CA to issue your certificates. ... This is a Active Directory configuration, ...
(microsoft.public.platformsdk.security)
Re: client user certificates
... in certificates using Windows Server 2003 Enterprise Edition Enterprise CAs ... but it would be nice if there was a way to autoenroll the user. ... We have a Windows Server 2003 domain environment with a Enterprise ...
(microsoft.public.windows.server.active_directory)
Re: Auto-Enrollment of Certificates
... What are you trying to do with this step: "'Add Standalone Snap-In"? ... Best Practices for implementing Windows Server 2003 PKI: ... Windows Server 2003 web enrollment and troubleshooting guide: ... > template in the 'Add Standalone Snap-In', I can just see Certificates ...
(microsoft.public.platformsdk.security)
Re: client user certificates
... The best way to deploy certificates automatically to a user certificate ... Autoenrollment is available for clients ... When using Windows Server 2003 Enterprise edition you can customize your ... any purpose, from EFS, to Client Authentication, to custom purposes. ...
(microsoft.public.windows.server.active_directory)
RE: PKI
... Certificate Services Tools and Settings ... Version Windows Server 2003 and Windows 2000 Server ... This setting controls the number of concurrent sessions to the certificates ...
(microsoft.public.security)