Re: Domain Controller Certificate Renewal

From: William Hudson (whudson_at_privacy.net)
Date: 04/22/05


Date: Fri, 22 Apr 2005 14:06:35 +0100

Brian -

Many thanks for such a simple fix. I certainly wouldn't have thought of that
as a solution (that's what I get for not reading the service pack release
notes, I guess).

I'll let you know if the problem persists.

Regards,

William

"Brian Komar (MVP)" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1cd2a4edef7aea5b989697@msnews.microsoft.com...
> In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>, whudson@privacy.net
> says...
>> I am running a very simple domain with two Windows 2003 servers (standard
>> edition). I have recently upgraded both to SP1. A couple of days ago the
>> DC
>> that is not the CA started to show AutoEnrollment errors in the event
>> log.
>> It seems it is trying to a renew it's DC certificate that is going to
>> expire
>> at the end of May.
>>
>> I have found the DC certificate template on the server that is the CA. It
>> shows that autoenrollment is not allowed. I can find no way of changing
>> this. Can I allow autoenrollment or can I renew the certificate by hand?
>>
>> Regards,
>>
>> William
>>
>>
>>
> Hi William,
>
> SP1 locked down DCOM access to the CA, and this is what has caused the
> errors.
> The fix is simple, just add the Domain Controllers group to the
> CERTSVC_DCOM_ACCESS group that was added as part of SP1.
>
> For details, look for the section titled "Certificate Services: Effects
> of security enhancements to the DCOM protocol" in KB artice 889101.
> http://support.microsoft.com/kb/889101
>
> The article does need to be updated to indicate that you must manually
> add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local
> group
>
> Brian
> --
> ==
> Brian Komar
> MVP - Windows - Security
> http://www.identit.ca/blogs/brian



Relevant Pages

  • Autoenrollment Failure (0x80070005) - Additional help reqd.
    ... apply the fix recommended. ... One of the DCs is also a Certificate Server. ... >> has successfully obtained a 'Domain Controller' certificate. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Autoenrollment Failure (0x80070005) - Additional help reqd.
    ... reboot the server right now, I have to wait till 8 hours are passed by. ... > apply the fix recommended. ... > One of the DCs is also a Certificate Server. ... >>> I have an Enterprise Root CA, which resides on the first domain controller ...
    (microsoft.public.windows.server.active_directory)
  • Re: OWA Question & Certificates
    ... You and Marina have done good on the certificate; ... fix for OWA premium. ... Go to Tools -> Internet Options ... Try OWA Premium again. ...
    (microsoft.public.windows.server.sbs)
  • Re: "Search" missing
    ... > William B. Lurie wrote: ... >> Symantec hasn't answered me yet.... ... > Microsoft tell me how to fix XP. ...
    (microsoft.public.windowsxp.basics)