Forest, Domain, Certificate, CA, IAS/Radius, Issues

This is a strange one... Not sure where to begin. First a little about the
organization; Single AD forest with four total domains (not children). One
of the domains (A) is forest root, other three (B, C & D) are simply domains
in the forest added at the top. Running a stand-alone enterprise CA on
domain controller in domain A. Having some strange certificate issues with
domain B. Domain B has three total domain controllers (1, 2 and 3). DC1 is
the subordinate CA for domain B.

At domain B, we use IAS to authenticate workstation connections via 802.1x
port-based authentication between switches and workstations (PEAP). IAS must
have a valid Domain Controller certificate in order to function. Upon
investigating further, I see that the DC for domain B which is running IAS
(DC2) is having problems renewing it's DC certificate from it's CA. Access
denied issues with AutoEnrollment:

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 12/16/2007
Time: 12:10:41 PM
User: N/A
Computer: DomainB_DC2
Description:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.

I have attempted to re-install the subordinate CA (Cert Services) on
DomainB_DC1 but could not do so automatically since I also had access denied
issues requesting/obtaining a certificate from the enterprise root CA.

Furthermore, I have recently discovered that DomainB has an "Enterprise
Admins" group! Also, this domain did not have a "CERTSVC_DCOM_ACCESS" group
until after I reinstalled Certificate Services.

Any ideas what might be going on here? At first I was thinking that the
administrator of DomainB removed the domain from the forest and re-added it.
Not sure.

Thank you in advance,

Tony

Hello,

Thank you for your post.

Are these two related DCs (DomainB_DC1, and DomainB_DC2) Windows Server
2003 with the latest Service Pack? Also, is DomainB_DC1 installed as
Enterprise CA?

Please check the following:

1. Ensure the domain account of both DCs have full control to the Domain
Controller certificate template.

You can run certtmpl.msc on the CA server and then assign the permissions.

2. Please check if you can manually request a Domain Controller certificate
on DC2.

3. Generally, the new CERTSVC_DCOM_ACCESS security group should be
generated if the DC applies Windows Server 2003 SP1. Please let me know how
you reinstall the CA service and then double check this group on other DCs.

If you can find it, we can have Certificate Services update the DCOM
security settings by running the following commands:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

Hope this helps. Thanks!

Regards,
Joe Wu
Microsoft Online Support

================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

Hello,

How are you doing? I am just checking to see how things are going there on
this issue. If you would like further assistance, please do not hesitate to
let me know. It is my pleasure to help.

Thanks, and have a great day!

Regards,
Joe Wu
Microsoft Online Partner Support

================================================== ====
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix
issues and simple how to questions.

We also love to hear your product feedback!

Let us know what you think by posting
- from the web interface: Partner Feedback
- from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

Joe,

All servers are Windows Server 2003 with service pack 2.
Only DomainA has the "Enterprise Root CA" and DomainB_DC1 is a subordinate
CA in the same forest.
I have checked and set the permissions as requested. I still cannot renew
the DomainB Domain Controllers (DC2 and DC3) certificates. when I try using
the Certificate Renewal Wizard, I get "The certificate request failed
because of one of the following conditions: - The certificate request was
submitted to a Certificate Authority (CA) that is not started. - You do not
have the permissions to request certificates from the available CAs." If I
try to auto-enroll, I receive the following event in the event log:

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 12/19/2007
Time: 10:16:10 AM
User: N/A
Computer: TIDC03
Description:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.

How do I manually request a Domain Controller certificate from DC2? I know
how to submit a manual request from IIS for a web server certificate, but
not for a Domain Controller certificate. If I try to use the web-enrollment
tool (http://DomainB_DC1/certsrv) the only certificate templates I get are
"Administrator, Basic EFS, EFS Recovery Agent, User, Subordinate Certificate
Authority and Web Server." I do not see a "Domain Controller" template
option.

To reinstall the CA service on DomainB_DC1, I first logon as the Enterprise
Admin, then remove the Certificate Services component. Then I re-add the
Certificate Services component selecting "Enterprise subordinate CA." I
select a CA name (same as old one to overwrite the old key and old CA found
in AD.) If I try then to "send the request directly to a CA already on the
network" and pick the Enterprise Root CA (DomainA_DC1), I get the error
"Cannot ping the selected CA. Please make sure the CA is running. Access is
denied. 0x80070005 (WIN32: 5)". I then have to save the request to a file
and manually submit it to the Enterprise Root CA. Then I import the manual
certificate that was generated and I can start the CA services on
DomainB_DC1. However, this does not help me obtain a new Domain Controller
certificte on DomainB_DC2 or 3.

I ran the command "certutil -setreg
SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG" on DomainA_DC1 (the root CA)
and DomainB_DC1. Did not help.

Thank you,

Tony

""Joe Wu [MSFT]"" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello,
>
> Thank you for your post.
>
> Are these two related DCs (DomainB_DC1, and DomainB_DC2) Windows Server
> 2003 with the latest Service Pack? Also, is DomainB_DC1 installed as
> Enterprise CA?
>
> Please check the following:
>
> 1. Ensure the domain account of both DCs have full control to the Domain
> Controller certificate template.
>
> You can run certtmpl.msc on the CA server and then assign the permissions.
>
> 2. Please check if you can manually request a Domain Controller
> certificate
> on DC2.
>
> 3. Generally, the new CERTSVC_DCOM_ACCESS security group should be
> generated if the DC applies Windows Server 2003 SP1. Please let me know
> how
> you reinstall the CA service and then double check this group on other
> DCs.
>
> If you can find it, we can have Certificate Services update the DCOM
> security settings by running the following commands:
>
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
> net stop certsvc
> net start certsvc
>
> Hope this helps. Thanks!
>
> Regards,
> Joe Wu
> Microsoft Online Support
>
> ================================================== ====
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ================================================== ====
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> ================================================== ====
>
>

Hello Tony,

Thank you for your reply.

Have you removed the CA certificate of the previous subordinate CA (on
DomainB_DC1) on DC2 and DC3? Because the CA service has been reinstalled,
we need to remove the CA certificate and add the new one for the new CA
service.

To delete the previous CA's CA certificates from the problematic DC (DC2,
and DC3), please follow these steps on DC2 and DC3:

1) Click "Start", click "Run", type "MMC" (without the quotation marks),
and then click "OK".

2) Click the File menu, click "Add/Remove Snap-ins", and then click "Add".

3) Click "Certificates" and then click the "Add" button in the "Add
standalone" snap-in.

4) Click "Computer Account", click Next, ensure "Local computer" is
selected, and then click "Finished".

5) Expand "Trusted Root Certification Authorities" -> Certificates. Delete
the CA certificates of the previous CA, DomainB_DC1.

After that, please connect to http://DomainB_DC1/certsrv and re-add the new
CA certificate on each DC.

To do so, go to the problematic client computers and perform the following
steps:

1) Browse to:

http://DomainB_DC1/certsrv

2) Click "Download a CA certificate, certificate chain, or CRL".

3) Click the link of "To trust certificates issued from this certification
authority, install this CA certificate chain".

Please check if the problem can be resolved.

Thanks!

Regards,
Joe Wu
Microsoft Online Partner Support

================================================== ====
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix
issues and simple how to questions.

We also love to hear your product feedback!

Let us know what you think by posting
- from the web interface: Partner Feedback
- from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

Hello,

How are you?

I just want to say hi and see how this is going. Please drop me a quick
note at you convenience to let me know the current status of this issue. If
you have any concerns, please do not hesitate to let me know. Thanks, and
have a great day!

Regards,
Joe Wu
Microsoft Online Partner Support

================================================== ====
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix
issues and simple how to questions.

We also love to hear your product feedback!

Let us know what you think by posting
- from the web interface: Partner Feedback
- from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====