| Author | Messages | |
alberthols
Posts:4
 | | 07/18/2008 10:21 AM |
| | Hi,
The CERTSRV_DCOM_ACCESS group is only abailable on Windwos 2003 (SP1 and
higher) Domain Controllers or Certificate Servers.. So pelase check
carefully which system should have these groups...
Regards,
Albert
On Fri, Jul 18, 2008 at 1:26 AM, EIS Lists <eis_lists@sbcglobal.net> wrote:
> Thanks, Albert. Maybe I am a bit clueless on what exactly this is doing.
> (heading off into embarrassing territory here)
>
>
>
> When I run that command, it fails saying it can't find the record. When I
> run just *certutil –TSAInfo*, it tells me about a valid public cert for
> OWA (webmail.company.com). When I run this on the OWA box, I get the same
> error. Basically, I am not really sure what I am trying to do here.
>
>
>
> Sorry to be so clueless. Any thoughts about what this means?
>
>
>
> Thanks.
>
>
>
> -- nme
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Albert
> *Sent:* Wednesday, July 16, 2008 11:41 PM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Autoenrollment errors, CERTSRV_DCOM_ACCESS
> missing
>
>
>
> HI,
>
>
>
> There is another article also describing what to when the security group is
> not created...
>
> Please have a look at: http://support.microsoft.com/kb/927066
>
>
>
> Especially this part:
>
> 4. Settings may be incorrect if any one of the following conditions is
> true:
>
> •
>
> The CERTSVC_DCOM_ACCESS group does not exist.
>
> •
>
> The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
>
> •
>
> The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
>
> If any one setting is incorrect, run the following commands at a command
> prompt. Press ENTER after each command.
>
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
> net stop certsvc
> net start certsvc
>
>
>
> After the group is there you need to be sure to add the "domain
> controllers" group as that one is not added by default.
>
>
> Hope this helps,
>
>
>
> Regards,
>
>
>
> Albert
>
> On Wed, Jul 16, 2008 at 10:15 PM, EIS Lists <eis_lists@sbcglobal.net>
> wrote:
>
> Thanks, Albert. I have read that article. It does not seem to address the
> issue of the CERTSRV_DCOM_ACCESS security group *not existing*. The
> article says that group is created automatically during the upgrade to SP1.
> In our case, it does not seem to exist.
>
>
>
> I can create the group and add the proper accounts, but I am not sure that
> will do anything.
>
>
>
> -- nme
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Albert
> *Sent:* Wednesday, July 16, 2008 10:32 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Autoenrollment errors, CERTSRV_DCOM_ACCESS
> missing
>
>
>
> Please have a look at:
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;903220
>
>
>
> There you would find the solution most likely,
>
>
>
> Regards,
>
>
>
> Albert
>
> On Wed, Jul 16, 2008 at 6:18 PM, EIS Lists <eis_lists@sbcglobal.net>
> wrote:
>
> Hello:
>
>
>
> I have several DCs giving autoenrollment errors. >From what I can see, it
> means that the DC is not a member of the CERTSRV_DCOM_ACCESS security
> group. However, as far as I can tell, that group does not exist. Any ideas
> why this might be or how to correct it?
>
>
>
> Thanks,
>
>
>
> -- nme
>
>
>
>
>
>
>
>
>
| | | |
|
|