Re: Domain Controller Certificate Renewal
From: William Hudson (whudson_at_privacy.net)
Date: Fri, 22 Apr 2005 14:06:35 +0100
Many thanks for such a simple fix. I certainly wouldn't have thought of that
as a solution (that's what I get for not reading the service pack release
notes, I guess).
I'll let you know if the problem persists.
"Brian Komar (MVP)" <firstname.lastname@example.org> wrote in message
> In article <e5vf1xyRFHA.3156@TK2MSFTNGP15.phx.gbl>, email@example.com
>> I am running a very simple domain with two Windows 2003 servers (standard
>> edition). I have recently upgraded both to SP1. A couple of days ago the
>> that is not the CA started to show AutoEnrollment errors in the event
>> It seems it is trying to a renew it's DC certificate that is going to
>> at the end of May.
>> I have found the DC certificate template on the server that is the CA. It
>> shows that autoenrollment is not allowed. I can find no way of changing
>> this. Can I allow autoenrollment or can I renew the certificate by hand?
> Hi William,
> SP1 locked down DCOM access to the CA, and this is what has caused the
> The fix is simple, just add the Domain Controllers group to the
> CERTSVC_DCOM_ACCESS group that was added as part of SP1.
> For details, look for the section titled "Certificate Services: Effects
> of security enhancements to the DCOM protocol" in KB artice 889101.
> The article does need to be updated to indicate that you must manually
> add the Domain Controllers group to the CERTSVC_DCOM_ACCESS domain local
> Brian Komar
> MVP - Windows - Security