| Author | Messages | |
eis_lists
Posts:34
 | | 07/18/2008 12:55 PM |
| To my knowledge (did not set up this network and new to it), there are no cert servers. Domain Controllers have no local groups so this must be domain group. When I run the create group command from the KB directly on any DC, I get:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\user>certutil -setreg SetupStatus -SETUP_DCOM_SECU
RITY_UPDATED_FLAG
CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
C:\Documents and Settings\user>net stop certsvc
System error 1060 has occurred.
The specified service does not exist as an installed service.
C:\Documents and Settings\user>net start certsvc
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
Thanks,
-- nme
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Albert
Sent: Friday, July 18, 2008 7:19 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Autoenrollment errors, CERTSRV_DCOM_ACCESS missing
Hi,
The CERTSRV_DCOM_ACCESS group is only abailable on Windwos 2003 (SP1 and higher) Domain Controllers or Certificate Servers.. So pelase check carefully which system should have these groups...
Regards,
Albert
On Fri, Jul 18, 2008 at 1:26 AM, EIS Lists <eis_lists@sbcglobal.net> wrote:
Thanks, Albert. Maybe I am a bit clueless on what exactly this is doing. (heading off into embarrassing territory here)
When I run that command, it fails saying it can't find the record. When I run just certutil –TSAInfo, it tells me about a valid public cert for OWA (webmail.company.com <http://webmail.company.com/> ). When I run this on the OWA box, I get the same error. Basically, I am not really sure what I am trying to do here.
Sorry to be so clueless. Any thoughts about what this means?
Thanks.
-- nme
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Albert
Sent: Wednesday, July 16, 2008 11:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Autoenrollment errors, CERTSRV_DCOM_ACCESS missing
HI,
There is another article also describing what to when the security group is not created...
Please have a look at: http://support.microsoft.com/kb/927066
Especially this part:
4. Settings may be incorrect if any one of the following conditions is true:
•
The CERTSVC_DCOM_ACCESS group does not exist.
•
The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
•
The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
After the group is there you need to be sure to add the "domain controllers" group as that one is not added by default.
Hope this helps,
Regards,
Albert
On Wed, Jul 16, 2008 at 10:15 PM, EIS Lists <eis_lists@sbcglobal.net> wrote:
Thanks, Albert. I have read that article. It does not seem to address the issue of the CERTSRV_DCOM_ACCESS security group not existing. The article says that group is created automatically during the upgrade to SP1. In our case, it does not seem to exist.
I can create the group and add the proper accounts, but I am not sure that will do anything.
-- nme
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Albert
Sent: Wednesday, July 16, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Autoenrollment errors, CERTSRV_DCOM_ACCESS missing
Please have a look at:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;903220
There you would find the solution most likely,
Regards,
Albert
On Wed, Jul 16, 2008 at 6:18 PM, EIS Lists <eis_lists@sbcglobal.net> wrote:
Hello:
I have several DCs giving autoenrollment errors. >From what I can see, it means that the DC is not a member of the CERTSRV_DCOM_ACCESS security group. However, as far as I can tell, that group does not exist. Any ideas why this might be or how to correct it?
Thanks,
-- nme
| | | |
|
|