Problem with Domain Controller auto-enrollment using member server root ca
-
Thursday, May 03, 2012 1:05 PM
We recently setup a Windows Server 2008 Enterprise Root CA on a member server to sign certificates primarily for infopath forms but plan to expand its use further. Presently however all our DC's are failing autoenrollment and also if i manually request a domain controller certificate.
I have added the Domain Users, Domain Controllers and Domain Computers groups to the local Certificate Services DCOM Access group, as well as to the domain group of the same name and run "certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG" then restarted the cert services.
I get the following errors on my DC's (both on 2008, only EVENT 13 on the 2003 ones)
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 03/05/2012 10:47:57
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: DC1.domain.local
Description:
Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from certificateserver (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 03/05/2012 10:47:57
Event ID: 6
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: dc1.domain.local
Description:
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.Ive tried this with the firewall off on both servers and they are both on the same subnet.
I have checked the enroll and autoenroll permissions on the template and they are fine however....
I get the error below when restarting the certificate service:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 03/05/2012 11:56:40
Event ID: 77
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: certificateserver.domain.localDescription:
The "Windows default" Policy Module logged the following warning: The DomainController
CNF:05f5d163-b298-4d45-b911-d8a5761a04af Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168).All the forum ive looked at seem to suggest that its the certificate services dcom group that is the issue but ive changed those permissions already so im at a bit of a loss. Users can request certificates throught web enrollment no problem.
Using certutil -ping from the DC the interface reports as alive.
All Replies
-
Thursday, May 03, 2012 1:20 PM
Do you have any CRL locations published? Are they all accessable by the CA/clients? You can take a peak at the Enterprise PKI snapin. This should give you some more info.
Also, might want to confirm that the root CA cert is a "Trusted Root Certification Authority". This should be the case since it's an Enterprise CA, but maybe just double check.
-
Thursday, May 03, 2012 2:14 PM
Checking the CRL locations i have:
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
<a href="ldap:///CN=<CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public">ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
there are also http: and file: entries but theyre not set to have the CRL published to them.
From the DC i can browse to the ldap object using ADSIEdit
The CA is listed in the Domain controllers "Trusted Root Certification Authority" folder.
-
Thursday, May 03, 2012 3:16 PMAlso querying the ports the CA is using from the DC reports that both 135 and 50696 which the service is currently using are listening on the CA server
-
Friday, May 04, 2012 3:25 AM
Very interesting I am having the same problem.. Ill update when I get it resolved
-
Friday, May 04, 2012 3:48 AM
I had to reset the permissions on the database folder then after resetting the services on the CA it was able to pull a cert...
What a pain!
-
Friday, May 04, 2012 9:42 AMModerator
Hi,
RPC server is unavailable often belongs to the DNS/firewall settings, please check with the following article:http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
Also see: http://technet.microsoft.com/en-us/library/cc774368(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc774368(WS.10).aspx
http://www.eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1
http://www.petenetlive.com/KB/Article/0000473.htm
http://support.microsoft.com/kb/931354
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
- Marked As Answer by Elytis ChengModerator Tuesday, May 15, 2012 9:25 AM
- Unmarked As Answer by Dr_Sanchez Tuesday, May 15, 2012 4:09 PM
-
Tuesday, May 15, 2012 10:42 AM
Could you expand on what permissions you added exactly as ive added the local Certificate Service DCOM Access group which conatins the domain admins and domain controllers but that hasnt helped and i just wanted to see if youd done it differently.
-
Tuesday, May 15, 2012 11:15 AMIm currenltly testing this with both firewalls off and no third party in between the 2 servers. I think the problem lies with the permissions on the certificate server but cant seem to pin it down.
-
Tuesday, May 15, 2012 4:09 PM Okay finally got to the bottom of it, although id added the users to the Certificate Service DCOM Access group they needed to be added to the Distributed COM Users group as well. None of the articles seemed to mention that oddly so i dont know if thats meant to be required or not.
- Marked As Answer by Dr_Sanchez Tuesday, May 15, 2012 4:09 PM
.png)
