Re: Domain Controller Certificate Renewal

From: MVP (bkomar_at_nospam.identit.ca)
Date: 04/22/05


Date: Fri, 22 Apr 2005 07:08:03 -0500

In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>, whudson@privacy.net
says...
> I am running a very simple domain with two Windows 2003 servers (standard
> edition). I have recently upgraded both to SP1. A couple of days ago the DC
> that is not the CA started to show AutoEnrollment errors in the event log.
> It seems it is trying to a renew it's DC certificate that is going to expire
> at the end of May.
>
> I have found the DC certificate template on the server that is the CA. It
> shows that autoenrollment is not allowed. I can find no way of changing
> this. Can I allow autoenrollment or can I renew the certificate by hand?
>
> Regards,
>
> William
>
>
>
Hi William,

SP1 locked down DCOM access to the CA, and this is what has caused the
errors.
The fix is simple, just add the Domain Controllers group to the
CERTSVC_DCOM_ACCESS group that was added as part of SP1.

For details, look for the section titled "Certificate Services: Effects
of security enhancements to the DCOM protocol" in KB artice 889101.
http://support.microsoft.com/kb/889101

The article does need to be updated to indicate that you must manually
add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local
group

Brian

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian


Relevant Pages

  • Re: Auto Enrollment not working for one DC
    ... I was already aware of the post SP1 problem with the CERTSVC_DCOM_ACCESS ... Certificate Services: Effects of security enhancements to the DCOM protocol ...
    (microsoft.public.windows.server.active_directory)
  • Question on autoenrollment process with revoked certificate.
    ... I have an issue on autoenrollment which I need ... If I revoke one such certificate using the MMC snap-in, ... at the backend and gets refreshed in the revoked certificate area of the ...
    (microsoft.public.security)
  • Question on autoenrollment process with revoked certificate
    ... I have an issue on autoenrollment which I need ... If I revoke one such certificate using the MMC snap-in, ... at the backend and gets refreshed in the revoked certificate area of the ...
    (microsoft.public.security)
  • Question on autoenrollment process with revoked certificate.
    ... I have an issue on autoenrollment which I need ... If I revoke one such certificate using the MMC snap-in, ... at the backend and gets refreshed in the revoked certificate area of the ...
    (microsoft.public.win2000.security)
  • Re: DTExec slow
    ... It was actually this way before SP1 as well. ... The thing is that when you execute a package, CryptoAPI, on behalf of the SSIS service, attempts to go out to the internet to check a certificate revocation list. ...
    (microsoft.public.sqlserver.dts)