none
Windows Server 2003 Standard SP2 - Error message (0x80070005). Access is denied. RRS feed

  • Question

  • Hi Sir,

    I have this error (Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied)  from the event application log in my Windows Server 2003 Standard SP2 as a Backup File server as a DC 2.

    I read the support article:

    Naturally, if I try to add the CERTSVC_DCOM_ACCESS group using the method suggested in the Microsoft KB article (http://support.microsoft.com/kb/903220/en-us):
    certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc
    I get the following error on each DC because I have no certificate services on those or on any other member server:
    C:\>certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
    CertUtil: The system cannot find the file specified.

    I hope someone help me.

    Thanks in advance.
    Friday, October 30, 2009 5:17 AM

Answers

  • Hi,

     

    The steps on the article KB903220 should be performed on CA, not on DC or any member server. Currently, please try the steps on the article 903220 again on your CA server and revert back.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, November 9, 2009 2:37 AM
    Monday, November 2, 2009 6:16 AM

All replies

  • Hi Lennet,

    You did not mention which Server has Certificate Services installed ?

    It looks that you have enabled the Auto Enrollment Feature through Group Policies and Domain Controller Certificate is configured for Auto Enrollment. The Errors Event states that the Local Machine was not able to get the Certificate. One of the reasons can be Security Permissions.

    Group Policy Location --  Computer Configuration /Windows Settings/Security Settings/PublicKeyPolicies/AutoEnrollment Settings 

    So my question - Have you configured any such Policy ? Do you want Domain Controllers Certificates through AutEnrollment ?

    Revert back with the info.

    cheers
    Nitin

    Friday, October 30, 2009 7:45 PM
  • Hi,

     

    The steps on the article KB903220 should be performed on CA, not on DC or any member server. Currently, please try the steps on the article 903220 again on your CA server and revert back.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, November 9, 2009 2:37 AM
    Monday, November 2, 2009 6:16 AM