Re: AutoEnrollment DCs

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

ok... ill let it be as long its not much problem to my server:)

thanks!
you are the man !


"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%234onnv$OIHA.536@xxxxxxxxxxxxxxxxxxxxxxx
Yes I believe is will, it needs access to the certificate services and
this is the group that has permissions for this.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Leezy" <leezy@xxxxxxxx> wrote in message
news:OcMJwg%23OIHA.4912@xxxxxxxxxxxxxxxxxxxxxxx
i have added domain controlers group into CERTSVC_DCOM_ACCESS group.

will monitor for the error. Thanks...
just one more thing... according to the article, the domain controllers
group by default do not belong to Certsvc_dcom_access group...

by adding this should not cause any problem....
will the problem come back if i remove it away from the group later on?


"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:O4j3JynNIHA.292@xxxxxxxxxxxxxxxxxxxxxxx
Did you add the Domain Controllers security group to the
CERTSVC_DCOM_ACCESS security group?

+++++++++++++
If the certification authority is installed on a domain controller,
CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users
security group and the Domain Computers security group from the
certification authority's domain are added to CERTSVC_DCOM_ACCESS. If
domain controllers need access to this interface to request certificates
from the certification authority, you must add the Domain Controllers
security group. You must do this because domain controllers are not part
of the Domain Computers security group.
+++++++++++++

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Leezy" <leezy@xxxxxxxx> wrote in message
news:OU42l9iNIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
The article is unclear of certain part. where do i locate the Dcom ? in
the server holding the certificate? is that dcom refering to component
services?

my cert server is on DC-01
my problem server is DC-02

where should i go to tackle the autoenrollment problem on DC-02?



"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:e2XGrRbNIHA.5360@xxxxxxxxxxxxxxxxxxxxxxx
If domain controllers need access to this interface to request
certificates from the certification authority, you must add the Domain
Controllers security group. You must do this because domain
controllers are not part of the Domain Computers security group.

See
http://support.microsoft.com/default.aspx?scid=kb;en-us;903220

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Leezy" <leezy@xxxxxxxx> wrote in message
news:OkJzDMYNIHA.5224@xxxxxxxxxxxxxxxxxxxxxxx
I am getting these 2 errors here on my server.

PDC has no problem with this, only 2nd DC has this error...

anyidea how to get rid of it ?



Thanks

leezy





Event Type: Error

Event Source: AutoEnrollment

Event Category: None

Event ID: 13

Date: 12/2/2007

Time: 11:23:00 PM

User: N/A

Computer: KNB-DC-02

Description:

Automatic certificate enrollment for local system failed to enroll
for one Domain Controller certificate (0x80070005). Access is
denied.



Event Type: Error

Event Source: AutoEnrollment

Event Category: None

Event ID: 16

Date: 12/3/2007

Time: 7:22:59 AM

User: N/A

Computer: KNB-DC-02

Description:

Automatic certificate enrollment for local system failed to renew one
Domain Controller certificate (0x80070005). Access is denied.














.

Relevant Pages

  • Re: AutoEnrollment DCs
    ... Did you add the Domain Controllers security group to the CERTSVC_DCOM_ACCESS ... certification authority, you must add the Domain Controllers security group. ... the server holding the certificate? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AutoEnrollment DCs
    ... it needs access to the certificate services and this ... MVP - Directory Services ... CERTSVC_DCOM_ACCESS security group? ... domain controllers need access to this interface to request certificates ...
    (microsoft.public.windows.server.active_directory)
  • Re: Certification authority
    ... Server 2003 SP1 or later has been applied. ... Then we can have Certificate Services update the DCOM security settings by running the following commands: ... ENTERPRISE DOMAIN CONTROLLERS groups has the Enroll and Autoenroll ... PortQryUI - User Interface for the PortQry Command Line Port Sc ...
    (microsoft.public.windows.server.general)
  • Re: Can not log on locally to any DCs
    ... Last time this happened to me was some stupid Admin that denied a given security group to logon locally, the problem was that security group had another security group as member, so any member of these security groups stopped to logon locally on the server. ... also check the "Deny logon locally" user right in the Default Domain Controllers GPO. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AutoEnrollment DCs
    ... If domain controllers need access to this interface to request certificates ... the Domain Computers security group. ... Automatic certificate enrollment for local system failed to enroll for one ... Domain Controller certificate. ...
    (microsoft.public.windows.server.active_directory)