none
certificate enrollment failed

    Question

  • Our domain had 2, 2003 DC's. We recently added a 2008 DC, then demoted 1 of the 2003 DC's in preperation for removal. This happened to be the first DC in the forest. Since then, all the remaining 2003 DC's in the forest (3 domains) are showing Event ID: 13 several times a day. We have not installed a CA.

    Event ID:13
    Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.

    Additionally, I have noticed a number of WINS records for servers and hosts becoming tombstoned when they should not be. I'm wondering if this is related.

    I already googled and tried DCOM settings. They already look good.
    Appreciate any tips....
    Thanks,
    MIKE
    Wednesday, March 04, 2009 12:54 PM

Answers

  •  

    Hi Mike,

     

    Domain Controllers should not attempt to request Domain Controller certificate automatically, if there is no Enterprise CA installed in the environment. A possible cause could be an Enterprise CA has ever been installed accidently. To verify it, please run the following command on a Domain Controller in the forest root domain:

     

    Ldifde –f pki.txt –d “CN=Public Key Services,CN=services,CN=configuration,DC=domain,DC=com

     

    And then upload the pki.txt file to the following space for further research:

     

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=22927a10-d456-49f4-9d2f-7b39afe7da73

    Password: WW9xJq9YD^Q

     

    I look forward to your response.  

    Thursday, March 05, 2009 10:23 AM