Re: Autoenrollment failed for Domain Controller

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/26/05

• Next message: Steven L Umbach: "Re: XP client & Server authentication"
• Previous message: Duane Laflotte: "Re: Worm vs a Trojan Horse -- differences?"
• In reply to: MF: "Autoenrollment failed for Domain Controller"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 26 May 2005 15:40:07 -0500

Look in the CA Management Console for "failed requests" to see if a reason
was stated and also check Event Viewer on the Ca and other domain
controllers to see if any helpful information was recorded. Check the
permission on the certificate template for domain controllers to make sure
that they are correct and maybe try to give a domain controller computer
account explicit permissions for read and enroll to see if that makes a
difference and that the certificate template shows as being available. The
other thing I would do is to run the support tools netdiag and dcdiag on
your domain controllers to see if any problems are found particularly for
dns and replication. --- Steve

"MF" <mfk@yahoo.com> wrote in message
news:ORqDYzQYFHA.796@TK2MSFTNGP10.phx.gbl...
> Hi,
> I have removed an Enterprise Root CA (KB 889250) and installed a new one
> on a Windows 2003 (Standard Edition) DC. Now I get following error on all
> additional domain controllers.
> 'Automatic certificate enrollment for local system failed to enroll for
> one Domain Controller certificate (0x80070005). Access is denied.' If I
> try to get manually a certificate, I get also an error. On member server
> or a client I can install machine certificates! I have searched the MS KB
> and newsgroups but could not find a solution.
> Any Ideas,
> Marion
>

---

• Next message: Steven L Umbach: "Re: XP client & Server authentication"
• Previous message: Duane Laflotte: "Re: Worm vs a Trojan Horse -- differences?"
• In reply to: MF: "Autoenrollment failed for Domain Controller"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: AutoEnrollment DCs ... ill let it be as long its not much problem to my server:) ... CERTSVC_DCOM_ACCESS security group? ... domain controllers need access to this interface to request certificates ... Automatic certificate enrollment for local system failed to enroll ... (microsoft.public.windows.server.active_directory) Re: AutoEnrollment DCs ... Did you add the Domain Controllers security group to the CERTSVC_DCOM_ACCESS ... certification authority, you must add the Domain Controllers security group. ... the server holding the certificate? ... (microsoft.public.windows.server.active_directory) Re: AutoEnrollment DCs ... it needs access to the certificate services and this ... MVP - Directory Services ... CERTSVC_DCOM_ACCESS security group? ... domain controllers need access to this interface to request certificates ... (microsoft.public.windows.server.active_directory) Re: AutoEnrollment DCs ... If domain controllers need access to this interface to request certificates ... the Domain Computers security group. ... Automatic certificate enrollment for local system failed to enroll for one ... Domain Controller certificate. ... (microsoft.public.windows.server.active_directory) AutoEnrollment problem ... a replicated version of AD and also running an Enterprise-level Certificate ... installed from the Windows Server CD. ... enroll and autoenroll for Domain ... Controllers and for ENTERPRISE DOMAIN CONTROLLERS). ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2005-05