Re: Event ID 13 - automatic certificate enrollment error

You forgot the magic cmd line statement to do afterwards...

gpupdate /force

an all DC's

Glad I could help, someone here in this group or somewhere else said it
best, next time read the Read Me's that come with a Service Pack. I searched
for about an hour for this solution and it was int eh read me all along.


"Jaycee" <jaycee131973@xxxxxxxxxxx> wrote in message
news:eOO%23WAoAGHA.4080@xxxxxxxxxxxxxxxxxxxxxxx
>I just did that today and it seems that its slowly working - 2 servers
>worked right away, a few other took several hours and there is still one
>server that will not renew. I'll continue to troubleshoot.
>
> Thanks again.
>
> Jaycee
>
> "Chris Patterson" <chrisspatterson@xxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:eTXmWRnAGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
>>I just had the same problem, have you installed SP 1 on your server?
>>
>> If so, got to AD Users/Computers, built in, look for CERTSVC_DCOM_ACCESS
>> and add Domain Controllers to it and check enroll
>>
>>
>> "Jaycee" <jaycee131973@xxxxxxxxxxx> wrote in message
>> news:%23919dJbAGHA.2392@xxxxxxxxxxxxxxxxxxxxxxx
>>> I'm having problems understanding how to set permissions. When I open
>>> the MMC for the certificate authority I can see the certificate
>>> templates folder and when I select it I can then see Domain Controller
>>> on the right-side pane. However, when I view the properties it doesn't
>>> have a permissions tab.
>>>
>>> However, if I right click the certificate templates folder and select
>>> manage I can see the template Domain Controller. My network is running
>>> Windows 2003 and all Domain controllers are running Windows 2003. For
>>> the Domain Controller template it states minimum supported CA is Windows
>>> 2000 and autoenrollment is set to Not Allowed.
>>>
>>> Under the security tab for this template it lists the following:
>>> Authenticated Users: READ
>>> Domain Admins: READ, WRITE, ENROLL
>>> Domain Controllers: READ, ENROLL
>>> Enterprise Admins READ, WRITE, ENROLL
>>> Enterprise Domain Controllers: READ, ENROLL
>>>
>>> Any advice on these permissions settings would be appreciated.
>>>
>>> Thanks.
>>>
>>> <skrubbeltrang@xxxxxxxxx> wrote in message
>>> news:1134674956.549145.326050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi Jaycee.
>>>>
>>>> If you check the Microsoft Events and Errors Message Center you'll find
>>>> the following suggestions:
>>>>
>>>> No network connectivity is available
>>>> No domain controller was found
>>>> No certificate authorities are available
>>>> No certificate templates contain the READ and ENROLL permission for to
>>>> the computer or user in Active Directory
>>>>
>>>> You should check the above:
>>>> Most likely you should check the permissions on the domain controller
>>>> certificate template - the access denied implies that there is
>>>> connectivity but ACL's on the template are wrong.
>>>> It could also be that you removed the template from the list of
>>>> certificates issued by the server?
>>>> To check connectivity use telnet to test for TCP port 135 as well as
>>>> the dynamically assigned certificate services port (use netstat -na on
>>>> the CA to find the port).
>>>>
>>>> You'll find links for the Microsoft Events and Errors Message Center
>>>> and other resources on
>>>>
>>>> http://grubletrang.com/GrubleKB.aspx
>>>>
>>>> Hope this helps you solve your problem.
>>>>
>>>> Kind regards
>>>> Morten Skrubbeltrang
>>>> GrubleTrang Corporation
>>>>
>>>>
>>>> Jaycee wrote:
>>>>> I'm receiving the following event:
>>>>>
>>>>> Event Type: Error
>>>>> Event Source: AutoEnrollment
>>>>> Event Category: None
>>>>> Event ID: 13
>>>>> Computer: SERVER01
>>>>> Description:
>>>>> Automatic certificate enrollment for local system failed to enroll for
>>>>> one
>>>>> Domain Controller certificate (0x80070005). Access is denied.
>>>>>
>>>>> When I open the certificates MMC and manually renew the Domain
>>>>> Controller
>>>>> certificate with the same key I receive the following error:
>>>>>
>>>>> The certificate request failed because of one of the following
>>>>> conditions:
>>>>> - The certificate request was submitted to a Certification Authority
>>>>> (CA)
>>>>> that is not started.
>>>>> - You do not have permissions to request certificates from the
>>>>> available
>>>>> CAs.
>>>>>
>>>>> The CA is started. Anyone have any ideas on how to fix this one?
>>>>>
>>>>> Thanks.
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Cannot request computer certificate.
    ... you are using Windows 2003 see if there is any info in failed requests. ... I would run the support tool netdiag on your domain controller [at least ... I need to request a computer certificate for VPN server. ...
    (microsoft.public.windows.server.security)
  • Re: Certification Authority
    ... I forgot to Say that both Domain Controller (Windows Server 2003 Stabdard ... Certificate for the Trusted Root Certificate Authority ...
    (microsoft.public.win2000.general)
  • Re: CA Problems
    ... I forgot to Say that both Domain Controller (Windows Server 2003 Stabdard ... Certificate for the Trusted Root Certificate Authority ...
    (microsoft.public.win2000.security)
  • Automatice Certificate Enrollment Failure
    ... I have a Windows 2003 Server that is running as a AD/DC with Exchange 2003, ... I installed the Certificate Authority services on this server ... and the "Domain Controller Authentication" is set to 'Allow' for the Windows ...
    (microsoft.public.windows.server.networking)
  • Re: AD sites and services
    ... A search for "Active Directory Sites" yeilds the following: ... After an Unsuccessful Domain Controller Demotion" ... http://support.microsoft.com?kbid=220140 "FRS Replication Protocol and Topology ... Windows 2000 Domain Controllers" ...
    (microsoft.public.win2000.active_directory)