Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Server Security > W2K3 DC cannot request Domain Controller cerificate from W2K8 CA

Thread Tools Display Modes

W2K3 DC cannot request Domain Controller cerificate from W2K8 CA

Paul Kissick
Posts: n/a


I'm having a very frustration problem with our domain controllers not being
able to request a Domain Controller certificate from our Enterprise CA and am
wondering if anyone can give me some insite into the issue...

Bit of background:

We used to have a Windows 2000 Server (Std Ed) Domain Controller with
Certificate Services installed as an Enterprise CA, but the hardware was
causing us problems, so we decided to try and migrate the CA to a Windows
2008 Server (Std Ed).

I followed the instructions ( to
decommission the old CA and demote the DC before removing from the domain.

I then installed a fresh copy of Certificate Services on our 2008 DC with
the default configuration.

Now, our 2008DC successfully autoenrolled and obtained it's Domain
Controller cerificate, another W2000 DC (which we need to keep for legacy
Terminal Services support) also successfully autoenrolled and obtained a
Domain Controller certificate.

But, our other Windows 2003 Server (R2) Std Ed DCs refuse to obtain a
certificate. I've even tried a brand new fresh install of W2003 (no Service
Pack) and it also can't retrieve a certificate.

The error message with the Certificates snap in (with requesting from Local
Machine) shows:

The certificate request failed because of one of the following conditions:
- The certificate request was submitted to a Certificate Authority (CA)
that is not started.
- You do not have the permissions to request certificates from the
available CAs.

The event log shows:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.

when trying AutoEnrollment.

But, the CA is started, and the DC is in the Domain Controllers OU and
Group, and appears to have the correct permissions.

The DCOM config on the CA allows 'Certificate Service DCOM Access' group
Local Access and Remote Access, as well as Local/Remote Launch, and
Local/Remote Activation.

Also, the Terminal Server (2000) is able to request a Computer certificate
without any issues.

There is no trace of the old DC within the Enterprise PKI.

Can anyone help shed some light on the issue?

Many thanks, Paul Kissick
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
W2k8 as member server in W2k8 SBS domain - CALs Luka Obersnu Windows Small Business Server 5 10-21-2009 11:03 PM
W2k8 Server cannot join domain (but W2k3-Server can!) Ulrich B. Boddenberg Active Directory 11 06-03-2008 06:23 AM
Internet Explorer Cerificate Problem Ian Hutchinson Windows Vista General Discussion 0 11-10-2007 12:16 PM
RWW Cerificate Problem 4halen Windows Small Business Server 5 10-25-2006 08:48 PM
OWA Cerificate tim Windows Small Business Server 2 04-02-2004 07:36 PM