Discussion:
PLEASE HELP: Autoenrollment Failure (0x80070005) for Additional Domain Controller W2K3
(too old to reply)
Neil Hobbs
2005-11-21 17:02:23 UTC
Permalink
Hi,

I'm in the process of performing my final test deployment of a Windows
Server 2003 Active Directory network.

I have an Enterprise Root CA, which resides on the first domain controller
SERVER01 (this is also a Global Catalog server) and this Domain Controller
has successfully obtained a 'Domain Controller' certificate. But the second
domain controller SERVER02 has not been able to obtain a 'Domain Controller'
certificate. When this second domain controller starts up, it logs the
following entry in the 'Application' event log:

Source: Autoenrollment
Event ID: 13

Autoenrollment certificate for the local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied

I have checked the TCP/IP configiration of the two domain controllers, both
servers are on the same IP network; a 10.1.0.0/24 network;

SERVER01 - has the IP address - 10.1.0.1/24
SERVER02 - has the IP address - 10.1.0.2/24

I have seen that both of the domain controllers are located in the
'DOMAIN\Domain Controllers' security group and this group has the default
permissions to the 'Domain Controller Authentication' certificare template
(Enroll and Autoenroll set to Allow).

The rest of the configuration is the default configuration. The domain
controllers and all servers are running Windows Server 2003 SP1. I have
other servers, which all pickup their certificates without any issues, but
no matter how many times I reboot this second domain controller it fails to
get a certificate.

I have performed a load of searches on the Knowledgebase and TechNet, but I
can't find any article.

Many thanks in advance for any solutions/advice will be most apprecaited.
Neil Hobbs
2005-11-21 18:16:37 UTC
Permalink
Its been fixed in SP1, please see the following support article

http://support.microsoft.com/default.aspx?scid=kb;en-us;903220
Post by Neil Hobbs
Hi,
I'm in the process of performing my final test deployment of a Windows
Server 2003 Active Directory network.
I have an Enterprise Root CA, which resides on the first domain controller
SERVER01 (this is also a Global Catalog server) and this Domain Controller
has successfully obtained a 'Domain Controller' certificate. But the
second domain controller SERVER02 has not been able to obtain a 'Domain
Controller' certificate. When this second domain controller starts up, it
Source: Autoenrollment
Event ID: 13
Autoenrollment certificate for the local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied
I have checked the TCP/IP configiration of the two domain controllers,
both servers are on the same IP network; a 10.1.0.0/24 network;
SERVER01 - has the IP address - 10.1.0.1/24
SERVER02 - has the IP address - 10.1.0.2/24
I have seen that both of the domain controllers are located in the
'DOMAIN\Domain Controllers' security group and this group has the default
permissions to the 'Domain Controller Authentication' certificare template
(Enroll and Autoenroll set to Allow).
The rest of the configuration is the default configuration. The domain
controllers and all servers are running Windows Server 2003 SP1. I have
other servers, which all pickup their certificates without any issues, but
no matter how many times I reboot this second domain controller it fails
to get a certificate.
I have performed a load of searches on the Knowledgebase and TechNet, but
I can't find any article.
Many thanks in advance for any solutions/advice will be most apprecaited.
Nick-Mars
2005-11-30 22:29:02 UTC
Permalink
I hope this thread is still open...

I've encountered the error mentioned in this post and have attempted to
apply the fix recommended. We have several DCs, some running SP1, some not.
One of the DCs is also a Certificate Server. On the DC that is a certificate
server we are not getting the error in the event log but I ran the fix on
that system. Seemed to run successfully.

On another DC, the "PDC" for the domain, ran the fix and encountered the
error:
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
This DC continues to get the error in the event viewer.
This DC did not have SP1 applied yet. Do I need to apply the SP and then
run the fix?

On another DC, running SP1, applied the fix. Didn't seem to change
anything. The DC was not a Certificate Server. However, this DC continues
to report the error in the event viewer.

Help will be appreciated.
Post by Neil Hobbs
Its been fixed in SP1, please see the following support article
http://support.microsoft.com/default.aspx?scid=kb;en-us;903220
Post by Neil Hobbs
Hi,
I'm in the process of performing my final test deployment of a Windows
Server 2003 Active Directory network.
I have an Enterprise Root CA, which resides on the first domain controller
SERVER01 (this is also a Global Catalog server) and this Domain Controller
has successfully obtained a 'Domain Controller' certificate. But the
second domain controller SERVER02 has not been able to obtain a 'Domain
Controller' certificate. When this second domain controller starts up, it
Source: Autoenrollment
Event ID: 13
Autoenrollment certificate for the local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied
I have checked the TCP/IP configiration of the two domain controllers,
both servers are on the same IP network; a 10.1.0.0/24 network;
SERVER01 - has the IP address - 10.1.0.1/24
SERVER02 - has the IP address - 10.1.0.2/24
I have seen that both of the domain controllers are located in the
'DOMAIN\Domain Controllers' security group and this group has the default
permissions to the 'Domain Controller Authentication' certificare template
(Enroll and Autoenroll set to Allow).
The rest of the configuration is the default configuration. The domain
controllers and all servers are running Windows Server 2003 SP1. I have
other servers, which all pickup their certificates without any issues, but
no matter how many times I reboot this second domain controller it fails
to get a certificate.
I have performed a load of searches on the Knowledgebase and TechNet, but
I can't find any article.
Many thanks in advance for any solutions/advice will be most apprecaited.
Ton
2005-12-01 15:45:19 UTC
Permalink
We have the same problem, 5 domain controllers got the domain
controller certificate, 1 dc got event id 13 every 8 hours. I also
couldn't use "certutil -ping -config <servername>". Every time I got
the access denied message.

In my case the solution, at least for the ping, was the DCOM
configuration. The DCOM wasn't running! In the start menu, choose
programs, administrative tools, component services.
Then click component services, computers and properties of my computer.
Tab default properties and check enable distributed com on this
computer.

I don't know yet if the event id 13 will not come up again, I can't
reboot the server right now, I have to wait till 8 hours are passed by.

Maybe this can help you....
Post by Nick-Mars
I hope this thread is still open...
I've encountered the error mentioned in this post and have attempted to
apply the fix recommended. We have several DCs, some running SP1, some not.
One of the DCs is also a Certificate Server. On the DC that is a certificate
server we are not getting the error in the event log but I ran the fix on
that system. Seemed to run successfully.
On another DC, the "PDC" for the domain, ran the fix and encountered the
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
This DC continues to get the error in the event viewer.
This DC did not have SP1 applied yet. Do I need to apply the SP and then
run the fix?
On another DC, running SP1, applied the fix. Didn't seem to change
anything. The DC was not a Certificate Server. However, this DC continues
to report the error in the event viewer.
Help will be appreciated.
Post by Neil Hobbs
Its been fixed in SP1, please see the following support article
http://support.microsoft.com/default.aspx?scid=kb;en-us;903220
Post by Neil Hobbs
Hi,
I'm in the process of performing my final test deployment of a Windows
Server 2003 Active Directory network.
I have an Enterprise Root CA, which resides on the first domain controller
SERVER01 (this is also a Global Catalog server) and this Domain Controller
has successfully obtained a 'Domain Controller' certificate. But the
second domain controller SERVER02 has not been able to obtain a 'Domain
Controller' certificate. When this second domain controller starts up, it
Source: Autoenrollment
Event ID: 13
Autoenrollment certificate for the local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied
I have checked the TCP/IP configiration of the two domain controllers,
both servers are on the same IP network; a 10.1.0.0/24 network;
SERVER01 - has the IP address - 10.1.0.1/24
SERVER02 - has the IP address - 10.1.0.2/24
I have seen that both of the domain controllers are located in the
'DOMAIN\Domain Controllers' security group and this group has the default
permissions to the 'Domain Controller Authentication' certificare template
(Enroll and Autoenroll set to Allow).
The rest of the configuration is the default configuration. The domain
controllers and all servers are running Windows Server 2003 SP1. I have
other servers, which all pickup their certificates without any issues, but
no matter how many times I reboot this second domain controller it fails
to get a certificate.
I have performed a load of searches on the Knowledgebase and TechNet, but
I can't find any article.
Many thanks in advance for any solutions/advice will be most apprecaited.
Nick-Mars
2005-12-01 19:19:03 UTC
Permalink
Thanks for the tip. I followed up you your suggestion. It looks like it
was/is running on our system (To tell you the truth I didn't event know those
options were there). I'll try plugging away at the issue. Please let me
know if you resolve yours.
Post by Ton
We have the same problem, 5 domain controllers got the domain
controller certificate, 1 dc got event id 13 every 8 hours. I also
couldn't use "certutil -ping -config <servername>". Every time I got
the access denied message.
In my case the solution, at least for the ping, was the DCOM
configuration. The DCOM wasn't running! In the start menu, choose
programs, administrative tools, component services.
Then click component services, computers and properties of my computer.
Tab default properties and check enable distributed com on this
computer.
I don't know yet if the event id 13 will not come up again, I can't
reboot the server right now, I have to wait till 8 hours are passed by.
Maybe this can help you....
Post by Nick-Mars
I hope this thread is still open...
I've encountered the error mentioned in this post and have attempted to
apply the fix recommended. We have several DCs, some running SP1, some not.
One of the DCs is also a Certificate Server. On the DC that is a certificate
server we are not getting the error in the event log but I ran the fix on
that system. Seemed to run successfully.
On another DC, the "PDC" for the domain, ran the fix and encountered the
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
This DC continues to get the error in the event viewer.
This DC did not have SP1 applied yet. Do I need to apply the SP and then
run the fix?
On another DC, running SP1, applied the fix. Didn't seem to change
anything. The DC was not a Certificate Server. However, this DC continues
to report the error in the event viewer.
Help will be appreciated.
Post by Neil Hobbs
Its been fixed in SP1, please see the following support article
http://support.microsoft.com/default.aspx?scid=kb;en-us;903220
Post by Neil Hobbs
Hi,
I'm in the process of performing my final test deployment of a Windows
Server 2003 Active Directory network.
I have an Enterprise Root CA, which resides on the first domain controller
SERVER01 (this is also a Global Catalog server) and this Domain Controller
has successfully obtained a 'Domain Controller' certificate. But the
second domain controller SERVER02 has not been able to obtain a 'Domain
Controller' certificate. When this second domain controller starts up, it
Source: Autoenrollment
Event ID: 13
Autoenrollment certificate for the local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied
I have checked the TCP/IP configiration of the two domain controllers,
both servers are on the same IP network; a 10.1.0.0/24 network;
SERVER01 - has the IP address - 10.1.0.1/24
SERVER02 - has the IP address - 10.1.0.2/24
I have seen that both of the domain controllers are located in the
'DOMAIN\Domain Controllers' security group and this group has the default
permissions to the 'Domain Controller Authentication' certificare template
(Enroll and Autoenroll set to Allow).
The rest of the configuration is the default configuration. The domain
controllers and all servers are running Windows Server 2003 SP1. I have
other servers, which all pickup their certificates without any issues, but
no matter how many times I reboot this second domain controller it fails
to get a certificate.
I have performed a load of searches on the Knowledgebase and TechNet, but
I can't find any article.
Many thanks in advance for any solutions/advice will be most apprecaited.
Ton
2005-12-02 09:48:47 UTC
Permalink
Now I get another event id 13 every 8 hours:

Automatic certificate enrollment for local system failed to enroll for
one Domain Controller certificate (0x8001011c). Remote calls are not
allowed for this process.

Maybe I have to boot the server, I will try this tonight.

What do you mean with the fix, is that "certutil -setreg SetupStatus
-SETUP_DCOM_SECURITY_UPDATED_FLAG"? I think you can only run this on
the Certification Server. It will look for a register key
"SetupStatus", that key exists on the Certification server, not on the
other servers.

Maybe you can look for the group CERTSVC_DCOM_ACCESS, all domain
controllers should be members of this group.

I think it's always wise to install SP1 on any server.
Nick-Mars
2005-12-02 16:49:03 UTC
Permalink
Thanks for clarifying about where to run the certutil fix. I ran it on the
CA and after it didn't work I tried it on the other DCs. Thinking it would
fix the problem. Certificates and CAs are still somewhat of a mystery to me.

Looking over your message below, it dawned on me that "Domain Computers" was
a member of the group "CERTSVC_DCOM_ACCESS" but not "Domain Controllers". I
just added it. I guess I'll have to wait 8 hours to see.

Thanks for collaborating.
Post by Ton
Automatic certificate enrollment for local system failed to enroll for
one Domain Controller certificate (0x8001011c). Remote calls are not
allowed for this process.
Maybe I have to boot the server, I will try this tonight.
What do you mean with the fix, is that "certutil -setreg SetupStatus
-SETUP_DCOM_SECURITY_UPDATED_FLAG"? I think you can only run this on
the Certification Server. It will look for a register key
"SetupStatus", that key exists on the Certification server, not on the
other servers.
Maybe you can look for the group CERTSVC_DCOM_ACCESS, all domain
controllers should be members of this group.
I think it's always wise to install SP1 on any server.
Ton
2005-12-02 17:03:49 UTC
Permalink
I just booted the server and YES it worked! The server got the domain
controller certificate. So no more event id's 13 for me.
Nick-Mars
2005-12-02 21:43:02 UTC
Permalink
Same here!!!

Thanks for your help. I think my problem was overlooking the membership of
Domain Controllers in the CERTSVC_DCOM_ACCESS group.
Post by Ton
I just booted the server and YES it worked! The server got the domain
controller certificate. So no more event id's 13 for me.
Loading...