Re: Forest, Domain, Certificate, CA, IAS/Radius, Issues

Joe,

All servers are Windows Server 2003 with service pack 2.
Only DomainA has the "Enterprise Root CA" and DomainB_DC1 is a subordinate
CA in the same forest.
I have checked and set the permissions as requested. I still cannot renew
the DomainB Domain Controllers (DC2 and DC3) certificates. when I try using
the Certificate Renewal Wizard, I get "The certificate request failed
because of one of the following conditions: - The certificate request was
submitted to a Certificate Authority (CA) that is not started. - You do not
have the permissions to request certificates from the available CAs." If I
try to auto-enroll, I receive the following event in the event log:

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 12/19/2007
Time: 10:16:10 AM
User: N/A
Computer: TIDC03
Description:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.

How do I manually request a Domain Controller certificate from DC2? I know
how to submit a manual request from IIS for a web server certificate, but
not for a Domain Controller certificate. If I try to use the web-enrollment
tool (http://DomainB_DC1/certsrv) the only certificate templates I get are
"Administrator, Basic EFS, EFS Recovery Agent, User, Subordinate Certificate
Authority and Web Server." I do not see a "Domain Controller" template
option.

To reinstall the CA service on DomainB_DC1, I first logon as the Enterprise
Admin, then remove the Certificate Services component. Then I re-add the
Certificate Services component selecting "Enterprise subordinate CA." I
select a CA name (same as old one to overwrite the old key and old CA found
in AD.) If I try then to "send the request directly to a CA already on the
network" and pick the Enterprise Root CA (DomainA_DC1), I get the error
"Cannot ping the selected CA. Please make sure the CA is running. Access is
denied. 0x80070005 (WIN32: 5)". I then have to save the request to a file
and manually submit it to the Enterprise Root CA. Then I import the manual
certificate that was generated and I can start the CA services on
DomainB_DC1. However, this does not help me obtain a new Domain Controller
certificte on DomainB_DC2 or 3.

I ran the command "certutil -setreg
SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG" on DomainA_DC1 (the root CA)
and DomainB_DC1. Did not help.

Thank you,

Tony

""Joe Wu [MSFT]"" <joewu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23yZ0j8KQIHA.4200@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello,

Thank you for your post.

Are these two related DCs (DomainB_DC1, and DomainB_DC2) Windows Server
2003 with the latest Service Pack? Also, is DomainB_DC1 installed as
Enterprise CA?

Please check the following:

1. Ensure the domain account of both DCs have full control to the Domain
Controller certificate template.

You can run certtmpl.msc on the CA server and then assign the permissions.

2. Please check if you can manually request a Domain Controller
certificate
on DC2.

3. Generally, the new CERTSVC_DCOM_ACCESS security group should be
generated if the DC applies Windows Server 2003 SP1. Please let me know
how
you reinstall the CA service and then double check this group on other
DCs.

If you can find it, we can have Certificate Services update the DCOM
security settings by running the following commands:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

Hope this helps. Thanks!

Regards,
Joe Wu
Microsoft Online Support

======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
======================================================




.

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: Autoenrollment Failure (0x80070005) - Additional help reqd.
    ... reboot the server right now, I have to wait till 8 hours are passed by. ... > apply the fix recommended. ... > One of the DCs is also a Certificate Server. ... >>> I have an Enterprise Root CA, which resides on the first domain controller ...
    (microsoft.public.windows.server.active_directory)
  • Re: Autoenrollment of Certificates
    ... This newsgroup only focuses on SBS technical issues. ... Did you install CA on the SBS Server? ... | events which led up to the point where a new certificate was created ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Autoenrollment Failure (0x80070005) - Additional help reqd.
    ... apply the fix recommended. ... One of the DCs is also a Certificate Server. ... >> has successfully obtained a 'Domain Controller' certificate. ...
    (microsoft.public.windows.server.active_directory)