Re: Domain Controller Certificate Renewal

From: William Hudson (whudson_at_privacy.net)
Date: 04/22/05

• Next message: Arek Iskra [MVP]: "Re: Allow non administrators to create dial up network connection in xp"
• Previous message: Ben: "Re: Domain Users into Local Admins"
• In reply to: MVP: "Re: Domain Controller Certificate Renewal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 22 Apr 2005 14:06:35 +0100

Brian -

Many thanks for such a simple fix. I certainly wouldn't have thought of that
as a solution (that's what I get for not reading the service pack release
notes, I guess).

I'll let you know if the problem persists.

Regards,

William

"Brian Komar (MVP)" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1cd2a4edef7aea5b989697@msnews.microsoft.com...
> In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>, whudson@privacy.net
> says...
>> I am running a very simple domain with two Windows 2003 servers (standard
>> edition). I have recently upgraded both to SP1. A couple of days ago the
>> DC
>> that is not the CA started to show AutoEnrollment errors in the event
>> log.
>> It seems it is trying to a renew it's DC certificate that is going to
>> expire
>> at the end of May.
>>
>> I have found the DC certificate template on the server that is the CA. It
>> shows that autoenrollment is not allowed. I can find no way of changing
>> this. Can I allow autoenrollment or can I renew the certificate by hand?
>>
>> Regards,
>>
>> William
>>
>>
>>
> Hi William,
>
> SP1 locked down DCOM access to the CA, and this is what has caused the
> errors.
> The fix is simple, just add the Domain Controllers group to the
> CERTSVC_DCOM_ACCESS group that was added as part of SP1.
>
> For details, look for the section titled "Certificate Services: Effects
> of security enhancements to the DCOM protocol" in KB artice 889101.
> http://support.microsoft.com/kb/889101
>
> The article does need to be updated to indicate that you must manually
> add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local
> group
>
> Brian
> --
> ==
> Brian Komar
> MVP - Windows - Security
> http://www.identit.ca/blogs/brian

---

• Next message: Arek Iskra [MVP]: "Re: Allow non administrators to create dial up network connection in xp"
• Previous message: Ben: "Re: Domain Users into Local Admins"
• In reply to: MVP: "Re: Domain Controller Certificate Renewal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Autoenrollment Failure (0x80070005) - Additional help reqd. ... apply the fix recommended. ... One of the DCs is also a Certificate Server. ... >> has successfully obtained a 'Domain Controller' certificate. ... (microsoft.public.windows.server.active_directory) Re: Autoenrollment Failure (0x80070005) - Additional help reqd. ... reboot the server right now, I have to wait till 8 hours are passed by. ... > apply the fix recommended. ... > One of the DCs is also a Certificate Server. ... >>> I have an Enterprise Root CA, which resides on the first domain controller ... (microsoft.public.windows.server.active_directory) Re: OWA Question & Certificates ... You and Marina have done good on the certificate; ... fix for OWA premium. ... Go to Tools -> Internet Options ... Try OWA Premium again. ... (microsoft.public.windows.server.sbs) Re: Credit bureau security? ... they'd fix the others. ... Tell them they fucked up your records without seeing your birth ... certificate and driver's license, and they can bloody well fix it ... (misc.consumers) Re: "Search" missing ... > William B. Lurie wrote: ... >> Symantec hasn't answered me yet.... ... > Microsoft tell me how to fix XP. ... (microsoft.public.windowsxp.basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2005-04