W2K3 DC cannot request Domain Controller cerificate from W2K8 CA

Discussion in 'Server Security' started by Paul Kissick, Feb 22, 2010.

  1. Paul Kissick

    Paul Kissick Guest


    I'm having a very frustration problem with our domain controllers not being
    able to request a Domain Controller certificate from our Enterprise CA and am
    wondering if anyone can give me some insite into the issue...

    Bit of background:

    We used to have a Windows 2000 Server (Std Ed) Domain Controller with
    Certificate Services installed as an Enterprise CA, but the hardware was
    causing us problems, so we decided to try and migrate the CA to a Windows
    2008 Server (Std Ed).

    I followed the instructions (http://support.microsoft.com/kb/889250) to
    decommission the old CA and demote the DC before removing from the domain.

    I then installed a fresh copy of Certificate Services on our 2008 DC with
    the default configuration.

    Now, our 2008DC successfully autoenrolled and obtained it's Domain
    Controller cerificate, another W2000 DC (which we need to keep for legacy
    Terminal Services support) also successfully autoenrolled and obtained a
    Domain Controller certificate.

    But, our other Windows 2003 Server (R2) Std Ed DCs refuse to obtain a
    certificate. I've even tried a brand new fresh install of W2003 (no Service
    Pack) and it also can't retrieve a certificate.

    The error message with the Certificates snap in (with requesting from Local
    Machine) shows:

    The certificate request failed because of one of the following conditions:
    - The certificate request was submitted to a Certificate Authority (CA)
    that is not started.
    - You do not have the permissions to request certificates from the
    available CAs.

    The event log shows:
    Automatic certificate enrollment for local system failed to enroll for one
    Domain Controller certificate (0x80070005). Access is denied.

    when trying AutoEnrollment.

    But, the CA is started, and the DC is in the Domain Controllers OU and
    Group, and appears to have the correct permissions.

    The DCOM config on the CA allows 'Certificate Service DCOM Access' group
    Local Access and Remote Access, as well as Local/Remote Launch, and
    Local/Remote Activation.

    Also, the Terminal Server (2000) is able to request a Computer certificate
    without any issues.

    There is no trace of the old DC within the Enterprise PKI.

    Can anyone help shed some light on the issue?

    Many thanks, Paul Kissick
    Paul Kissick, Feb 22, 2010
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ian Hutchinson

    Internet Explorer Cerificate Problem

    Ian Hutchinson, Nov 10, 2007, in forum: Windows Vista General Discussion
    Ian Hutchinson
    Nov 10, 2007
  2. tim

    OWA Cerificate

    tim, Apr 2, 2004, in forum: Windows Small Business Server
    Charlie Anthe [MSFT]
    Apr 2, 2004
  3. 4halen

    RWW Cerificate Problem

    4halen, Oct 25, 2006, in forum: Windows Small Business Server
    Les Connor [SBS Community Member - SBS MVP]
    Oct 25, 2006
  4. Ulrich B. Boddenberg

    W2k8 Server cannot join domain (but W2k3-Server can!)

    Ulrich B. Boddenberg, Jun 1, 2008, in forum: Active Directory
    Jun 3, 2008
  5. Luka Obersnu

    W2k8 as member server in W2k8 SBS domain - CALs

    Luka Obersnu, Oct 20, 2009, in forum: Windows Small Business Server
    Andre Southgate
    Oct 22, 2009