Automatice Certificate Enrollment Failure

This post is intended for the TechNet managed news group monitors to resolve.

I have a Windows 2003 Server that is running as a AD/DC with Exchange 2003,
and IIS6.0. I installed the Certificate Authority services on this server
and issued a certificate. I am using this to enforce the use of SSL for my
Outlook WEB Access users. This is working as expected.

I have a second Windows 2003 Server that is running as a AD/DC and it has
all of the FSMO roles. Both servers are in the same domain. After
installing the CA on the first DC I am now getting the following error in the
event logs for my second DC:
"Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied."

I have checked the Group Policy for the Domain Controllers and the
'Autoenrollment Settings Properties' are set to "Enroll certificates
automatically."

I have looked at the Certificate Authority 'Certificate Templates - Manage'
and the "Domain Controller Authentication" is set to 'Allow' for the Windows
2003 Server.

I have seen many posts regarding this issue but I am unable to determine a
solution to this issue. Please let me know your suggested resolution to this
issue.
--
Thanks in advance

westernwind

Hello,

Thank you for using newsgroup!

Based on my research, when you install a CA, on a machine which is running
windows 2003 sp, it should automatically create a group called
CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of
this group. I suspect that this was not happening and hence the auto
enrollment was failing. At this point, I suggest you run the following
command on the problematic Windows 2003 Server:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG

And then stopping and starting certsvr service by using the following
command:
net stop certsvc
net start certsvr

The steps above will create the group and then you can add the DC's as
members of the group

Hope that helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global...edsupport/4001
4662


--------------------
| Thread-Topic: Automatice Certificate Enrollment Failure
| thread-index: AcWIl/7bCqIe8z+tT7O84TUr8VnS0Q==
| X-WBNR-Posting-Host: 206.176.241.130
| From: "=?Utf-8?B?d2VzdGVybndpbmQ=?=" <(E-Mail Removed)>
| Subject: Automatice Certificate Enrollment Failure
| Date: Thu, 14 Jul 2005 10:18:04 -0700
| Lines: 29
| Message-ID: <5470CF88-BE4E-447B-8ED0-(E-Mail Removed)>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.networking
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:17548
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
| This post is intended for the TechNet managed news group monitors to
resolve.
|
| I have a Windows 2003 Server that is running as a AD/DC with Exchange
2003,
| and IIS6.0. I installed the Certificate Authority services on this
server
| and issued a certificate. I am using this to enforce the use of SSL for
my
| Outlook WEB Access users. This is working as expected.
|
| I have a second Windows 2003 Server that is running as a AD/DC and it has
| all of the FSMO roles. Both servers are in the same domain. After
| installing the CA on the first DC I am now getting the following error in
the
| event logs for my second DC:
| "Automatic certificate enrollment for local system failed to enroll for
one
| Domain Controller certificate (0x80070005). Access is denied."
|
| I have checked the Group Policy for the Domain Controllers and the
| 'Autoenrollment Settings Properties' are set to "Enroll certificates
| automatically."
|
| I have looked at the Certificate Authority 'Certificate Templates -
Manage'
| and the "Domain Controller Authentication" is set to 'Allow' for the
Windows
| 2003 Server.
|
| I have seen many posts regarding this issue but I am unable to determine
a
| solution to this issue. Please let me know your suggested resolution to
this
| issue.
| --
| Thanks in advance
|
| westernwind
|

Ken Zhao,

I did have the CERTSVC_DCOM_ACCESS group on my system. When I checked there
were no members in this group. I added all of my AD/DC servers as members
and the Errors in the Event Logs have gone away.
--
Thanks in advance

westernwind


"Ken Zhao [MSFT]" wrote:

> Hello,
>
> Thank you for using newsgroup!
>
> Based on my research, when you install a CA, on a machine which is running
> windows 2003 sp, it should automatically create a group called
> CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of
> this group. I suspect that this was not happening and hence the auto
> enrollment was failing. At this point, I suggest you run the following
> command on the problematic Windows 2003 Server:
>
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
>
> And then stopping and starting certsvr service by using the following
> command:
> net stop certsvc
> net start certsvr
>
> The steps above will create the group and then you can add the DC's as
> members of the group
>
> Hope that helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Newsgroup Web Interface Upgrade
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
> https://partner.microsoft.com/global...edsupport/4001
> 4662
>
>
> --------------------
> | Thread-Topic: Automatice Certificate Enrollment Failure
> | thread-index: AcWIl/7bCqIe8z+tT7O84TUr8VnS0Q==
> | X-WBNR-Posting-Host: 206.176.241.130
> | From: "=?Utf-8?B?d2VzdGVybndpbmQ=?=" <(E-Mail Removed)>
> | Subject: Automatice Certificate Enrollment Failure
> | Date: Thu, 14 Jul 2005 10:18:04 -0700
> | Lines: 29
> | Message-ID: <5470CF88-BE4E-447B-8ED0-(E-Mail Removed)>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.networking
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.networking:17548
> | X-Tomcat-NG: microsoft.public.windows.server.networking
> |
> | This post is intended for the TechNet managed news group monitors to
> resolve.
> |
> | I have a Windows 2003 Server that is running as a AD/DC with Exchange
> 2003,
> | and IIS6.0. I installed the Certificate Authority services on this
> server
> | and issued a certificate. I am using this to enforce the use of SSL for
> my
> | Outlook WEB Access users. This is working as expected.
> |
> | I have a second Windows 2003 Server that is running as a AD/DC and it has
> | all of the FSMO roles. Both servers are in the same domain. After
> | installing the CA on the first DC I am now getting the following error in
> the
> | event logs for my second DC:
> | "Automatic certificate enrollment for local system failed to enroll for
> one
> | Domain Controller certificate (0x80070005). Access is denied."
> |
> | I have checked the Group Policy for the Domain Controllers and the
> | 'Autoenrollment Settings Properties' are set to "Enroll certificates
> | automatically."
> |
> | I have looked at the Certificate Authority 'Certificate Templates -
> Manage'
> | and the "Domain Controller Authentication" is set to 'Allow' for the
> Windows
> | 2003 Server.
> |
> | I have seen many posts regarding this issue but I am unable to determine
> a
> | solution to this issue. Please let me know your suggested resolution to
> this
> | issue.
> | --
> | Thanks in advance
> |
> | westernwind
> |
>
>

Hello,

Glad to hear the event errors have gone away. If you have any questions in
the future, feel free to post here. We are glad to be of assistance.

Thank you for using our newsgroup!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global...edsupport/4001
4662


--------------------
| Thread-Topic: Automatice Certificate Enrollment Failure
| thread-index: AcWLvDxHX9ldurpwRTqmWZwWd37A9w==
| X-WBNR-Posting-Host: 206.176.241.130
| From: "=?Utf-8?B?d2VzdGVybndpbmQ=?=" <(E-Mail Removed)>
| References: <5470CF88-BE4E-447B-8ED0-(E-Mail Removed)>
<(E-Mail Removed)>
| Subject: RE: Automatice Certificate Enrollment Failure
| Date: Mon, 18 Jul 2005 10:15:03 -0700
| Lines: 134
| Message-ID: <A993F6EF-3C61-4D2D-8499-(E-Mail Removed)>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.networking
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:17641
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
| Ken Zhao,
|
| I did have the CERTSVC_DCOM_ACCESS group on my system. When I checked
there
| were no members in this group. I added all of my AD/DC servers as
members
| and the Errors in the Event Logs have gone away.
| --
| Thanks in advance
|
| westernwind
|
|
| "Ken Zhao [MSFT]" wrote:
|
| > Hello,
| >
| > Thank you for using newsgroup!
| >
| > Based on my research, when you install a CA, on a machine which is
running
| > windows 2003 sp, it should automatically create a group called
| > CERTSVC_DCOM_ACCESS and enroll all the domain controllers as members of
| > this group. I suspect that this was not happening and hence the auto
| > enrollment was failing. At this point, I suggest you run the following
| > command on the problematic Windows 2003 Server:
| >
| > certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
| >
| > And then stopping and starting certsvr service by using the following
| > command:
| > net stop certsvc
| > net start certsvr
| >
| > The steps above will create the group and then you can add the DC's as
| > members of the group
| >
| > Hope that helps!
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > ================================================== ===
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > ================================================== ===
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > Newsgroup Web Interface Upgrade
| > Please complete a one-time registration process on your first visit to
the
| > Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
secure
| > code mspp2005 when prompted. This secure code will be valid for 6
months
| > after which you will need to update your registration by entering the
new
| > secure code. We will post announcements in the newsgroups prior to
| > expiration. Once you have entered the secure code mspp2005 , you will
be
| > able to update your profile and access the the partner newsgroups.
Please
| > update your Favorites link to the newsgroups web page, your current
link
| > will redirect until November 1, 2005.
| > Please post any comment, questions or concerns to the
| > microsoft.private.directaccess.partnerfeedback newsgroup. For more
| > information, please go to:
| >
https://partner.microsoft.com/global...edsupport/4001
| > 4662
| >
| >
| > --------------------
| > | Thread-Topic: Automatice Certificate Enrollment Failure
| > | thread-index: AcWIl/7bCqIe8z+tT7O84TUr8VnS0Q==
| > | X-WBNR-Posting-Host: 206.176.241.130
| > | From: "=?Utf-8?B?d2VzdGVybndpbmQ=?=" <(E-Mail Removed)>
| > | Subject: Automatice Certificate Enrollment Failure
| > | Date: Thu, 14 Jul 2005 10:18:04 -0700
| > | Lines: 29
| > | Message-ID: <5470CF88-BE4E-447B-8ED0-(E-Mail Removed)>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.networking
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.networking:17548
| > | X-Tomcat-NG: microsoft.public.windows.server.networking
| > |
| > | This post is intended for the TechNet managed news group monitors to
| > resolve.
| > |
| > | I have a Windows 2003 Server that is running as a AD/DC with Exchange
| > 2003,
| > | and IIS6.0. I installed the Certificate Authority services on this
| > server
| > | and issued a certificate. I am using this to enforce the use of SSL
for
| > my
| > | Outlook WEB Access users. This is working as expected.
| > |
| > | I have a second Windows 2003 Server that is running as a AD/DC and it
has
| > | all of the FSMO roles. Both servers are in the same domain. After
| > | installing the CA on the first DC I am now getting the following
error in
| > the
| > | event logs for my second DC:
| > | "Automatic certificate enrollment for local system failed to enroll
for
| > one
| > | Domain Controller certificate (0x80070005). Access is denied."
| > |
| > | I have checked the Group Policy for the Domain Controllers and the
| > | 'Autoenrollment Settings Properties' are set to "Enroll certificates
| > | automatically."
| > |
| > | I have looked at the Certificate Authority 'Certificate Templates -
| > Manage'
| > | and the "Domain Controller Authentication" is set to 'Allow' for the
| > Windows
| > | 2003 Server.
| > |
| > | I have seen many posts regarding this issue but I am unable to
determine
| > a
| > | solution to this issue. Please let me know your suggested resolution
to
| > this
| > | issue.
| > | --
| > | Thanks in advance
| > |
| > | westernwind
| > |
| >
| >
|