Re: Domain Controller Certificate Renewal

From: MVP (
Date: 04/22/05

Date: Fri, 22 Apr 2005 07:08:03 -0500

In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>,
> I am running a very simple domain with two Windows 2003 servers (standard
> edition). I have recently upgraded both to SP1. A couple of days ago the DC
> that is not the CA started to show AutoEnrollment errors in the event log.
> It seems it is trying to a renew it's DC certificate that is going to expire
> at the end of May.
> I have found the DC certificate template on the server that is the CA. It
> shows that autoenrollment is not allowed. I can find no way of changing
> this. Can I allow autoenrollment or can I renew the certificate by hand?
> Regards,
> William
Hi William,

SP1 locked down DCOM access to the CA, and this is what has caused the
The fix is simple, just add the Domain Controllers group to the
CERTSVC_DCOM_ACCESS group that was added as part of SP1.

For details, look for the section titled "Certificate Services: Effects
of security enhancements to the DCOM protocol" in KB artice 889101.

The article does need to be updated to indicate that you must manually
add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local


Brian Komar
MVP - Windows - Security