none
Problem with Domain Controller auto-enrollment using member server root ca

    Pergunta

  • We recently setup a Windows Server 2008 Enterprise Root CA on a member server to sign certificates primarily for infopath forms but plan to expand its use further. Presently however all our DC's are failing autoenrollment and also if i manually request a domain controller certificate.

    I have added the Domain Users, Domain Controllers and Domain Computers groups to the local Certificate Services DCOM Access group, as well as to the domain group of the same name and run "certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG" then restarted the cert services.

    I get the following errors on my DC's (both on 2008, only EVENT 13 on the 2003 ones)

    Log Name:      Application
    Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
    Date:          03/05/2012 10:47:57
    Event ID:      13
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      DC1.domain.local
    Description:
    Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from certificateserver (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
    Log Name:      Application
    Source:        Microsoft-Windows-CertificateServicesClient-AutoEnrollment
    Date:          03/05/2012 10:47:57
    Event ID:      6
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      dc1.domain.local
    Description:
    Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

    Ive tried this with the firewall off on both servers and they are both on the same subnet.

    I have checked the enroll and autoenroll permissions on the template and they are fine however....

    I get the error below when restarting the certificate service:

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          03/05/2012 11:56:40
    Event ID:      77
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      certificateserver.domain.local

    Description:
    The "Windows default" Policy Module logged the following warning: The DomainController
    CNF:05f5d163-b298-4d45-b911-d8a5761a04af Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

    All the forum ive looked at seem to suggest that its the certificate services dcom group that is the issue but ive changed those permissions already so im at a bit of a loss. Users can request certificates throught web enrollment no problem.

    Using certutil -ping from the DC the interface reports as alive.

    quinta-feira, 3 de maio de 2012 13:05

Respostas

  • Okay finally got to the bottom of it, although id added the users to the Certificate Service DCOM Access group they needed to be added to the Distributed COM Users group as well. None of the articles seemed to mention that oddly so i dont know if thats meant to be required or not.
    • Marcado como Resposta Dr_Sanchez terça-feira, 15 de maio de 2012 16:09
    terça-feira, 15 de maio de 2012 16:09

Todas as Respostas