none
Windows 2008 SCEP Network Device Enrollment Serivce

    שאלה

  • I was wondering if anyone knows what the prerequisites are for the Network Device Enrollment Service in W2k8?
    I know it requires enterprise version of server, but that's all I can find.
    I'm specifically wondering if the service can run on a W2k8 Enterprise server as a domain controller.

    I have AD certificate service installed and working. I tried to install the role service for the network device enrollment and it requires a domain user account or network service to install.

    Selecting Network Service gives an error "Network service account cannot send authenticated certificate request to a local enterprise CA. Specify a user account.

    Selecting a user account give me this error "The account is not a member of the local machines IIS_IUSRS group?
    Obviously since this is a domain controller you cannot access local users or groups.

    I tried to dcpromo the server, adding the user account and dcpromo again and didn't work.
    I tried installing the service on the server as a member server then dcpromo again but running dcpromo required certificate services uninstalled. Catch 22!.

    I'm guessing I would have to provision another w2k8 server as a member server to use the SCEP service? But like I said I couldnt find any prereq requirements.



    יום שישי 19 ספטמבר 2008 13:39

תשובות

  • Hi Customer,

     

    To install the Network Device Enrollment Service properly, the installation user account must be a member of the domain and must be added to the local IIS_IUSRS group. I understand that you received the error saying that “The account is not a member of the local machines IIS_IUSRS group” when you use a domain user account to install. After you promote a server to domain controller, the local user accounts in SAM are migrated to domain database. Please add the user account that you used to install Network Device Enrollment Service, such as Domain Admins, to the IIS_IUSRS group in Active Directory Users and Computers snap-in to test whether it works. To do so, please perform the following steps:


    1.
          
    Open the Active Directory Users and Computers snap-in, expand your domain, and highlight Builtin. IIS_IUSRS group will be listed on the right hand

    2.
          
    Add appropriate user or user group to the IIS_IUSRS group.

    Hope it helps.


    David Shen - MSFT
    • סומן כתשובה על-ידי David Shen יום רביעי 24 ספטמבר 2008 02:40
    יום שלישי 23 ספטמבר 2008 02:39

כל התגובות

  • Hi Customer,

     

    To install the Network Device Enrollment Service properly, the installation user account must be a member of the domain and must be added to the local IIS_IUSRS group. I understand that you received the error saying that “The account is not a member of the local machines IIS_IUSRS group” when you use a domain user account to install. After you promote a server to domain controller, the local user accounts in SAM are migrated to domain database. Please add the user account that you used to install Network Device Enrollment Service, such as Domain Admins, to the IIS_IUSRS group in Active Directory Users and Computers snap-in to test whether it works. To do so, please perform the following steps:


    1.
          
    Open the Active Directory Users and Computers snap-in, expand your domain, and highlight Builtin. IIS_IUSRS group will be listed on the right hand

    2.
          
    Add appropriate user or user group to the IIS_IUSRS group.

    Hope it helps.


    David Shen - MSFT
    • סומן כתשובה על-ידי David Shen יום רביעי 24 ספטמבר 2008 02:40
    יום שלישי 23 ספטמבר 2008 02:39
  • I don't seem to have a migrated group the DC was not promoted after IIS was installed it was installed after. How do I get around this error.

    I get the same errors as the original poster but ther is no iis_iusrs group in AD

    יום חמישי 09 פברואר 2012 22:28
  • 1. Open a command prompt (right click - Run as Administrator)

    2. net localgroup IIS_USRS YourDomain\YourChosenUser /add

    יום רביעי 20 מרץ 2013 18:13
  • Change to net localgroup IIS_IUSRS YourDomain\YourChosenUser /add

    and it works! (just change IIS_USRS to IIS_IUSRS)

    יום רביעי 11 יולי 2018 20:06