Auto Enrolment failure after migration to server 2008

  • Thread starter Thread starter PaulLG
  • Start date Start date
P

PaulLG

An old 2003 DC with Root CA was decomissioned and replaced with a new 2008
server.

The CA was backed up on the old server, and restored onto the new 2008 DC
with the same name. The certificate database appears intact.

We can request new user certificates via the web interface, but
auto-enrolment fails. Nothing is shown in the Failed Requests list.

User certificates can be requested via the MMC, but computer certificates
fail with
"The certificate requrest failed because of one of the following conditions:
-The certificate requrest was submitted to a Certification Authority 9CA)
that is not started.
-You do not have the permissions ot request certificates from the available
CAs."

I have followed the troubleshooting guide
http://blogs.technet.com/askds/archive/200...te-snap-in.aspx
(as I haven't found a 2008 version) and everything seems OK except for the
guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist in
our AD. The certutil -setreg fix does not create the group, and our
correctly-working lab network does not contain the group either.

The Application log on the client shows:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate (0x80070005). Access is denied.

The System log on the client shows:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10006
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
DCOM got error "General access denied error " from the computer
FF1.domain.local when attempting to activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}

I have checked the DCOM permissions for "CertSrv Request" against our
working lab server, and they are identical.

Any idea what I'm missing?

Paul
 
[[Forwarded to & Followup-To set for
microsoft.public.windows.server.security newsgroup]]

PaulLG wrote:
> An old 2003 DC with Root CA was decomissioned and replaced with a new 2008
> server.
>
> The CA was backed up on the old server, and restored onto the new 2008 DC
> with the same name. The certificate database appears intact.
>
> We can request new user certificates via the web interface, but
> auto-enrolment fails. Nothing is shown in the Failed Requests list.
>
> User certificates can be requested via the MMC, but computer certificates
> fail with
> "The certificate requrest failed because of one of the following
> conditions:
> -The certificate requrest was submitted to a Certification Authority 9CA)
> that is not started.
> -You do not have the permissions ot request certificates from the
> available
> CAs."
>
> I have followed the troubleshooting guide
> http://blogs.technet.com/askds/archive/200...te-snap-in.aspx
> (as I haven't found a 2008 version) and everything seems OK except for the
> guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist
> in
> our AD. The certutil -setreg fix does not create the group, and our
> correctly-working lab network does not contain the group either.
>
> The Application log on the client shows:
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 24/08/2009
> Time: 14:04:42
> User: N/A
> Computer: FF8
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Computer certificate (0x80070005). Access is denied.
>
> The System log on the client shows:
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10006
> Date: 24/08/2009
> Time: 14:04:42
> User: N/A
> Computer: FF8
> Description:
> DCOM got error "General access denied error " from the computer
> FF1.domain.local when attempting to activate the server:
> {D99E6E74-FC88-11D0-B498-00A0C90312F3}
>
> I have checked the DCOM permissions for "CertSrv Request" against our
> working lab server, and they are identical.
>
> Any idea what I'm missing?
>
> Paul
 
Hi,

The managed support service of the newsgroup is
now available instead on :http://social.technet.microsoft.com/Forums...rversecurity/th
reads. Would you please repost the question in the forum with the Windows
Live ID used to access your Subscription benefits? Our engineers will
assist you in the new platform.

The web link http://technet.microsoft.com/en-us/subscri...s/ms788697.aspx
introduces more information about the migration. In the future, please post
your Group Policy-related questions directly to the forums. If you have any
questions or concerns, please feel free to contact us: tngfb@microsoft.com.

Joson Zhou
Microsoft Online Technical Support
 
Excuse me? microsoft.public.security newsgroup is not a Windows
Server-specific newsgroup and there is no relationship whatsoever between it
(or even microsoft.public.windows.server.security newsgroup, for that
matter) and that Windows Server Security forum.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


"Joson Zhou (MSFT)" wrote:
> The managed support service of the newsgroup
> is
> now available instead on Forum>:http://social.technet.microsoft.com/Forums...rversecurity/th
> reads. Would you please repost the question in the forum with the Windows
> Live ID used to access your Subscription benefits? Our engineers will
> assist you in the new platform.
>
> The web link
> http://technet.microsoft.com/en-us/subscri...s/ms788697.aspx
> introduces more information about the migration. In the future, please
> post
> your Group Policy-related questions directly to the forums. If you have
> any
> questions or concerns, please feel free to contact us:
> tngfb@microsoft.com.
 
Excuse me? microsoft.public.security newsgroup is not a Windows
Server-specific newsgroup and there is no relationship whatsoever between it
(or even microsoft.public.windows.server.security newsgroup, for that
matter) and that Windows Server Security forum.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


"Joson Zhou (MSFT)" wrote:
> The managed support service of the newsgroup
> is
> now available instead on Forum>:http://social.technet.microsoft.com/Forums...rversecurity/th
> reads. Would you please repost the question in the forum with the Windows
> Live ID used to access your Subscription benefits? Our engineers will
> assist you in the new platform.
>
> The web link
> http://technet.microsoft.com/en-us/subscri...s/ms788697.aspx
> introduces more information about the migration. In the future, please
> post
> your Group Policy-related questions directly to the forums. If you have
> any
> questions or concerns, please feel free to contact us:
> tngfb@microsoft.com.
 
Well, I've done like the man asked, but I the way I read the page is that if
the newsgroup is listed then it is managed. If newsgroups are listed that are
not managed, can we have them clearly marked so that we don't waste time with
them?

Paul


"PA Bear [MS MVP]" wrote:

> Excuse me? microsoft.public.security newsgroup is not a Windows
> Server-specific newsgroup and there is no relationship whatsoever between it
> (or even microsoft.public.windows.server.security newsgroup, for that
> matter) and that Windows Server Security forum.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Client - since 2002
> www.banthecheck.com
>
>
> "Joson Zhou (MSFT)" wrote:
> > The managed support service of the newsgroup
> > is
> > now available instead on > Forum>:http://social.technet.microsoft.com/Forums...rversecurity/th
> > reads. Would you please repost the question in the forum with the Windows
> > Live ID used to access your Subscription benefits? Our engineers will
> > assist you in the new platform.
> >
> > The web link
> > http://technet.microsoft.com/en-us/subscri...s/ms788697.aspx
> > introduces more information about the migration. In the future, please
> > post
> > your Group Policy-related questions directly to the forums. If you have
> > any
> > questions or concerns, please feel free to contact us:
> > tngfb@microsoft.com.
>
>
 
Why are you asking me about this?

PaulLG wrote:
> Well, I've done like the man asked, but I the way I read the page is that
> if
> the newsgroup is listed then it is managed. If newsgroups are listed that
> are not managed, can we have them clearly marked so that we don't waste
> time with them?
>
> Paul
>
>
> "PA Bear [MS MVP]" wrote:
>
>> Excuse me? microsoft.public.security newsgroup is not a Windows
>> Server-specific newsgroup and there is no relationship whatsoever between
>> it (or even microsoft.public.windows.server.security newsgroup, for that
>> matter) and that Windows Server Security forum.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Client - since 2002
>> www.banthecheck.com
>>
>>
>> "Joson Zhou (MSFT)" wrote:
>>> The managed support service of the newsgroup
>>> is
>>> now available instead on >> Forum>:http://social.technet.microsoft.com/Forums...rversecurity/th
>>> reads. Would you please repost the question in the forum with the
>>> Windows
>>> Live ID used to access your Subscription benefits? Our engineers will
>>> assist you in the new platform.
>>>
>>> The web link
>>> http://technet.microsoft.com/en-us/subscri...s/ms788697.aspx
>>> introduces more information about the migration. In the future, please
>>> post
>>> your Group Policy-related questions directly to the forums. If you have
>>> any
>>> questions or concerns, please feel free to contact us:
>>> tngfb@microsoft.com.
 
Sorry, that was really aimed at MS, not you.

Thanks for your help in getting my question posted in the right place.


"PA Bear [MS MVP]" wrote:

> Why are you asking me about this?
>
> PaulLG wrote:
> > Well, I've done like the man asked, but I the way I read the page is that
> > if
> > the newsgroup is listed then it is managed. If newsgroups are listed that
> > are not managed, can we have them clearly marked so that we don't waste
> > time with them?
> >
> > Paul
> >
> >
> > "PA Bear [MS MVP]" wrote:
> >
> >> Excuse me? microsoft.public.security newsgroup is not a Windows
> >> Server-specific newsgroup and there is no relationship whatsoever between
> >> it (or even microsoft.public.windows.server.security newsgroup, for that
> >> matter) and that Windows Server Security forum.
> >> --
> >> ~Robear Dyer (PA Bear)
> >> MS MVP-IE, Mail, Security, Windows Client - since 2002
> >> www.banthecheck.com
> >>
> >>
> >> "Joson Zhou (MSFT)" wrote:
> >>> The managed support service of the newsgroup
> >>> is
> >>> now available instead on >>> Forum>:http://social.technet.microsoft.com/Forums...rversecurity/th
> >>> reads. Would you please repost the question in the forum with the
> >>> Windows
> >>> Live ID used to access your Subscription benefits? Our engineers will
> >>> assist you in the new platform.
> >>>
> >>> The web link
> >>> http://technet.microsoft.com/en-us/subscri...s/ms788697.aspx
> >>> introduces more information about the migration. In the future, please
> >>> post
> >>> your Group Policy-related questions directly to the forums. If you have
> >>> any
> >>> questions or concerns, please feel free to contact us:
> >>> tngfb@microsoft.com.
>
>
 
You must log in or register to reply here.

Similar threads

C
Windows 10 Windows 10 20H2 and Server Essentials 2016 (1607) GPO no longer applying
Replies
0
Views
76
Cyber(Joe)
C
S
Windows 10 Some Group Policies not running on Windows 10
Replies
0
Views
160
ShaymanTOW
S
L
Windows 10 AP unable to authenticate to RADIUS server
Replies
0
Views
41
Lee.NSM
L
R
Windows 10 Microsoft Released Windows CLU kb4577063_buildno_19041.546 to Windows 10 v2004 20H1 and buildno_19042.546 to Windows 10 v2004 20H2 and to Windows 10 s
Replies
0
Views
36
RAJU.MSC.MATHEMATICS
R
A
Windows 10 Windows NPS and Eduroam Radius Profile For Aruba/Unifi Troubleshoot
Replies
0
Views
45
allw
A
Back
Top