[[Forwarded to & Followup-To set for
microsoft.public.windows.server.security newsgroup]]
PaulLG wrote:
> An old 2003 DC with Root CA was decomissioned and replaced with a new 2008
> server.
>
> The CA was backed up on the old server, and restored onto the new 2008 DC
> with the same name. The certificate database appears intact.
>
> We can request new user certificates via the web interface, but
> auto-enrolment fails. Nothing is shown in the Failed Requests list.
>
> User certificates can be requested via the MMC, but computer certificates
> fail with
> "The certificate requrest failed because of one of the following
> conditions:
> -The certificate requrest was submitted to a Certification Authority 9CA)
> that is not started.
> -You do not have the permissions ot request certificates from the
> available
> CAs."
>
> I have followed the troubleshooting guide
> http://blogs.technet.com/askds/archi...e-snap-in.aspx
> (as I haven't found a 2008 version) and everything seems OK except for the
> guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist
> in
> our AD. The certutil -setreg fix does not create the group, and our
> correctly-working lab network does not contain the group either.
>
> The Application log on the client shows:
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 24/08/2009
> Time: 14:04:42
> User: N/A
> Computer: FF8
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Computer certificate (0x80070005). Access is denied.
>
> The System log on the client shows:
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10006
> Date: 24/08/2009
> Time: 14:04:42
> User: N/A
> Computer: FF8
> Description:
> DCOM got error "General access denied error " from the computer
> FF1.domain.local when attempting to activate the server:
> {D99E6E74-FC88-11D0-B498-00A0C90312F3}
>
> I have checked the DCOM permissions for "CertSrv Request" against our
> working lab server, and they are identical.
>
> Any idea what I'm missing?
>
> Paul
Similar Threads
Linear Mode
