RE: Automatice Certificate Enrollment Failure
- From: "westernwind" <westernwind@xxxxxxxxxxxxxx>
- Date: Mon, 18 Jul 2005 10:15:03 -0700
Ken Zhao,
I did have the CERTSVC_DCOM_ACCESS group on my system. When I checked there
were no members in this group. I added all of my AD/DC servers as members
and the Errors in the Event Logs have gone away.
--
Thanks in advance
westernwind
"Ken Zhao [MSFT]" wrote:
> Hello,
>
> Thank you for using newsgroup!
>
> Based on my research, when you install a CA, on a machine which is running
> windows 2003 sp, it should automatically create a group called
> CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of
> this group. I suspect that this was not happening and hence the auto
> enrollment was failing. At this point, I suggest you run the following
> command on the problematic Windows 2003 Server:
>
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
>
> And then stopping and starting certsvr service by using the following
> command:
> net stop certsvc
> net start certsvr
>
> The steps above will create the group and then you can add the DC's as
> members of the group
>
> Hope that helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Newsgroup Web Interface Upgrade
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
> https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
> 4662
>
>
> --------------------
> | Thread-Topic: Automatice Certificate Enrollment Failure
> | thread-index: AcWIl/7bCqIe8z+tT7O84TUr8VnS0Q==
> | X-WBNR-Posting-Host: 206.176.241.130
> | From: "=?Utf-8?B?d2VzdGVybndpbmQ=?=" <westernwind@xxxxxxxxxxxxxx>
> | Subject: Automatice Certificate Enrollment Failure
> | Date: Thu, 14 Jul 2005 10:18:04 -0700
> | Lines: 29
> | Message-ID: <5470CF88-BE4E-447B-8ED0-ACA0339AB573@xxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.networking
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.networking:17548
> | X-Tomcat-NG: microsoft.public.windows.server.networking
> |
> | This post is intended for the TechNet managed news group monitors to
> resolve.
> |
> | I have a Windows 2003 Server that is running as a AD/DC with Exchange
> 2003,
> | and IIS6.0. I installed the Certificate Authority services on this
> server
> | and issued a certificate. I am using this to enforce the use of SSL for
> my
> | Outlook WEB Access users. This is working as expected.
> |
> | I have a second Windows 2003 Server that is running as a AD/DC and it has
> | all of the FSMO roles. Both servers are in the same domain. After
> | installing the CA on the first DC I am now getting the following error in
> the
> | event logs for my second DC:
> | "Automatic certificate enrollment for local system failed to enroll for
> one
> | Domain Controller certificate (0x80070005). Access is denied."
> |
> | I have checked the Group Policy for the Domain Controllers and the
> | 'Autoenrollment Settings Properties' are set to "Enroll certificates
> | automatically."
> |
> | I have looked at the Certificate Authority 'Certificate Templates -
> Manage'
> | and the "Domain Controller Authentication" is set to 'Allow' for the
> Windows
> | 2003 Server.
> |
> | I have seen many posts regarding this issue but I am unable to determine
> a
> | solution to this issue. Please let me know your suggested resolution to
> this
> | issue.
> | --
> | Thanks in advance
> |
> | westernwind
> |
>
>
.
- Follow-Ups:
- RE: Automatice Certificate Enrollment Failure
- From: Ken Zhao [MSFT]
- RE: Automatice Certificate Enrollment Failure
- References:
- Automatice Certificate Enrollment Failure
- From: westernwind
- RE: Automatice Certificate Enrollment Failure
- From: Ken Zhao [MSFT]
- Automatice Certificate Enrollment Failure
- Prev by Date: Can't contact Domain controller over VPN
- Next by Date: Re: Can't contact Domain controller over VPN
- Previous by thread: RE: Automatice Certificate Enrollment Failure
- Next by thread: RE: Automatice Certificate Enrollment Failure
- Index(es):
Relevant Pages
|
