Re: Domain Controller Certificate Renewal
From: MVP (bkomar_at_nospam.identit.ca)
Date: Fri, 22 Apr 2005 07:08:03 -0500
In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>, firstname.lastname@example.org
> I am running a very simple domain with two Windows 2003 servers (standard
> edition). I have recently upgraded both to SP1. A couple of days ago the DC
> that is not the CA started to show AutoEnrollment errors in the event log.
> It seems it is trying to a renew it's DC certificate that is going to expire
> at the end of May.
> I have found the DC certificate template on the server that is the CA. It
> shows that autoenrollment is not allowed. I can find no way of changing
> this. Can I allow autoenrollment or can I renew the certificate by hand?
SP1 locked down DCOM access to the CA, and this is what has caused the
The fix is simple, just add the Domain Controllers group to the
CERTSVC_DCOM_ACCESS group that was added as part of SP1.
For details, look for the section titled "Certificate Services: Effects
of security enhancements to the DCOM protocol" in KB artice 889101.
The article does need to be updated to indicate that you must manually
add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local
-- == Brian Komar MVP - Windows - Security http://www.identit.ca/blogs/brian