Re: Autoenrollment error

I tried #5 earlier. Domain Users and Domain Computers were members of the group, and I added Domain Controllers, but it didn't seem to solve the problem. I'll run through the rest today and see if any of them work.

Thanks!

Ace Fekay [MVP] wrote:
In news:P309fQHKGHA.3680@xxxxxxxxxxxxxxxxxxxxx,
Tom Che [MSFT] <v-tomche@xxxxxxxxxxxxxxxxxxxx> stated, which I commented on below:
Hi Matthew,

Thanks for your posting.

I suggest you may refer to the following steps to troubleshoot the
Event ID 13 AutoEnrollment error:

BTW, you got an error when you try to use the following command maybe
because the server is not a CA:
"certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG"

1) Follow KB889101(Release notes for Windows Server 2003 Service Pack
1, Part:
Certificate Services: Effects of security enhancements to the DCOM
protocol)

2) Right click on Certficate Authority in the MMC on the Enterprise
CA. Checked if security authenticated users has read and enroll
permission.

3) Checked if Enterprise Admins has Full Control to
HKLM/System/CurrentControlSet/Services/CertSvc/Security and a read
ACE to CN=SubCA,CN=CertificateTemplates,CN=Public Key
Services,CN=Services,CN=Configuration.

4) Check DCOM configuration on the DC through DCOMCNFG command.
Component Services - > Computers -> My Computer -> Properties ->
Default Properties) "Enable Distributed COM on this computer"

5) There is a group that is created called CERTSVC_DCOM_ACCESS.
Checked in AD Users and Computers to verify that the members are
Domain Users, Domain Computers, and Domain Controllers.

6) Error can also occur if all other domain controllers in the forest
do not have permissions of Enroll, Change, Read. In order to
troubleshoot, open the Certificate Template MMC, Right click on the
Certificate you wish to assign permission and click Properties. In
the security tab, added Domain Computers group from each domain with
the permissions of Enroll, Change and Read.


Tom,

This actually helped me when I had a similar issue. Possiblity #5 above was what helped.


.

Relevant Pages

  • Re: Autoenrollment error
    ... Domain Users, Domain Computers, and Domain Controllers. ... Certificate you wish to assign permission and click Properties. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot edit Password Policy even Administrator
    ... You create two domain users, by default they belong to "Domain Users" group. ... groups that can logon on to domain controllers by terminal or console. ... Then I log-off to test the user but> when I enter the username and password I have created a> noticed appear and said " The local policy of this system> does not permit you to log-on interactively" ... > Search throught he KB and found that I should edit the> Password policy on Local Policy setting and Domain Policy ...
    (microsoft.public.windows.server.general)
  • Re: Change admin password on multiple machines
    ... For the file you can configure the security settings only for admins,system and domain computers. ... So remove everyone or domain users, then they can't open the batch file and get access denied. ... the script as a computer startup script so we were able to remove the ... GPO that is applying it, as well as know it is a start up script etc ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default Domain Policy Question
    ... I have never seen password policy applied to the domain controllers ... container apply to domain users unless it was defined the ... domain controller not being in the default domain controllers container. ...
    (microsoft.public.windows.group_policy)
  • Re: problem restricting TS sessions through GPO
    ... No biggie, but there are no BDCs in Active Directory, just Domain Controllers ... The Group Policy Setting that control this is Default Domain Controllers ... > I tried logging on as normal domain user, ... > and similiar groups could log on locally, but normal domain users ...
    (microsoft.public.windows.terminal_services)
Loading