Re: Autoenrollment error
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Fri, 3 Feb 2006 01:39:01 -0500
In news:P309fQHKGHA.3680@xxxxxxxxxxxxxxxxxxxxx,
Tom Che [MSFT] <v-tomche@xxxxxxxxxxxxxxxxxxxx> stated, which I commented on
below:
Hi Matthew,
Thanks for your posting.
I suggest you may refer to the following steps to troubleshoot the
Event ID 13 AutoEnrollment error:
BTW, you got an error when you try to use the following command maybe
because the server is not a CA:
"certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG"
1) Follow KB889101(Release notes for Windows Server 2003 Service Pack
1, Part:
Certificate Services: Effects of security enhancements to the DCOM
protocol)
2) Right click on Certficate Authority in the MMC on the Enterprise
CA. Checked if security authenticated users has read and enroll
permission.
3) Checked if Enterprise Admins has Full Control to
HKLM/System/CurrentControlSet/Services/CertSvc/Security and a read
ACE to CN=SubCA,CN=CertificateTemplates,CN=Public Key
Services,CN=Services,CN=Configuration.
4) Check DCOM configuration on the DC through DCOMCNFG command.
Component Services - > Computers -> My Computer -> Properties ->
Default Properties) "Enable Distributed COM on this computer"
5) There is a group that is created called CERTSVC_DCOM_ACCESS.
Checked in AD Users and Computers to verify that the members are
Domain Users, Domain Computers, and Domain Controllers.
6) Error can also occur if all other domain controllers in the forest
do not have permissions of Enroll, Change, Read. In order to
troubleshoot, open the Certificate Template MMC, Right click on the
Certificate you wish to assign permission and click Properties. In
the security tab, added Domain Computers group from each domain with
the permissions of Enroll, Change and Read.
Tom,
This actually helped me when I had a similar issue. Possiblity #5 above was
what helped.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
The only thing in life is change. Anything less is a blackhole consuming
unnecessary energy.
===========================
.
- Follow-Ups:
- Re: Autoenrollment error
- From: Matthew Clark
- Re: Autoenrollment error
- From: Tom Che [MSFT]
- Re: Autoenrollment error
- References:
- Autoenrollment error
- From: Matthew Clark
- RE: Autoenrollment error
- From: Tom Che [MSFT]
- Autoenrollment error
- Prev by Date: Re: Introducing first 2k3 DC to 2000 Forest functional level
- Next by Date: Re: Introducing first 2k3 DC to 2000 Forest functional level
- Previous by thread: RE: Autoenrollment error
- Next by thread: Re: Autoenrollment error
- Index(es):
Relevant Pages
|
