Re: Domain Controller Certificate Renewal

From: MVP (bkomar_at_nospam.identit.ca)
Date: 04/22/05


Date: Fri, 22 Apr 2005 07:08:03 -0500

In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>, whudson@privacy.net
says...
> I am running a very simple domain with two Windows 2003 servers (standard
> edition). I have recently upgraded both to SP1. A couple of days ago the DC
> that is not the CA started to show AutoEnrollment errors in the event log.
> It seems it is trying to a renew it's DC certificate that is going to expire
> at the end of May.
>
> I have found the DC certificate template on the server that is the CA. It
> shows that autoenrollment is not allowed. I can find no way of changing
> this. Can I allow autoenrollment or can I renew the certificate by hand?
>
> Regards,
>
> William
>
>
>
Hi William,

SP1 locked down DCOM access to the CA, and this is what has caused the
errors.
The fix is simple, just add the Domain Controllers group to the
CERTSVC_DCOM_ACCESS group that was added as part of SP1.

For details, look for the section titled "Certificate Services: Effects
of security enhancements to the DCOM protocol" in KB artice 889101.
http://support.microsoft.com/kb/889101

The article does need to be updated to indicate that you must manually
add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local
group

Brian

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian