Domain Controller AutoEnrollment Issues
-
2012년 5월 1일 화요일 오후 4:03
I am admittedly not very strong with Active Directory Certificate Services. I have 4 domain controllers and only having certificate enrollment issues with one of them. The other 3 enroll just fine.
I have certificate services installed on a Server 2008 R2 Domain Controller. The forest and domain are at 2008 R2 functionality levels.The domain controller having trouble also holds the RID, PDC, and IM.I have verified the proper groups in Certificate Service DCOM Access.
I get event ID 6 and 13 every day at 6:10 AM and 2:10 PM on the problematic DC.
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
I also see event 1400 in the AD Web Services Log
Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name: problemDC.domain.local
I am in need of help on this. Thank you in advance.
Rob
모든 응답
-
2012년 5월 2일 수요일 오전 3:33중재자
Hi,
This error typically occurs when the certification authority is not available on the network or the service is stopped. Please follow the steps below to troubleshoot it:
1. In Certificate Template snap-in, right click the certificate template "Domain Controller Authentication" and ensure that Domain Controllers and ENTERPRISE DOMAIN CONTROLLERS groups has the Enroll and Autoenroll permissions, Authenticated Users has Read permission.
2. Verify that Authenticated Users is member of the Certificate Service DCOM Access group.
3. Ensure that there is no firewall blocking the connection.
Meanwhile, here are some articles which might be helpful for you:
http://blogs.technet.com/b/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx
I also see event 1400 in the AD Web Services Log
>> Please refer the following thread to troubleshoot this issue:
ADWS Event ID 1400
http://social.technet.microsoft.com/Forums/en-SG/winservergen/thread/5fac0d70-7dff-46f7-8c3a-b2982bc7fffc
Hope this helps!
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
- 편집됨 Elytis ChengModerator 2012년 5월 2일 수요일 오전 3:36
-
2012년 5월 2일 수요일 오후 6:49
I have verified that the template has the correct security permissions. DNS works fine the service is started and everything is reachable on the network. I can see that my CA has issued "DomainController" certificates to the 3 other DC's but not the one. I have tested and verified the certutil ping command to verify that service is listening properly on my CA. There are no firewalls in between this DC and the CA to block traffic. The problem server is a very plain build.
So i have to ask the following questions:
- Why would I be having trouble with just this one DC? It is Server 2008 R2 like all the others. Only difference is that it holds some FSMO roles.
- Is it correct that the other DC's were issued the Domain Controller Cert and not the Domain Controller Authentication?
- Should I try to manually request a certificate? If so should i use the Domain Controller or Domain Controller Authentication template?
Rob
-
2012년 5월 14일 월요일 오후 3:09
Found my answer here http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/6ce9e4f1-9ca5-45df-9626-8d02b13d0911/#7863216a-486d-496d-850b-4a7e5cd46a5d
Basic steps are as follows:
a) open Regedit and navigate to the HKCR\CLSID\{D99E6E74-FC88-11D0-B498-00A0C90312F3} key
b) right-click Permissions and take ownership of the key and REPLACE OWNER ON ALL SUBKEYS as well
c) grant the Certificate Services DCOM Access group the READ permission to the key and all subkeys
d) navigate to HKCR\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}
e) grant the Certificate Services DCOM Access group the READ permission to the key and all subkeys
Rob
- 답변으로 표시됨 rpcsys 2012년 5월 14일 월요일 오후 3:09
.png)
