One of my clients was constantly getting the following error on his DC’s:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
He has a RootCA server, and ofcourse a GPO with AutoEnrollment enabled, but none of his DC’s were getting a Certificate Enrolled to them.
Why “Access is Denied” you must ask yourself, and here is the answer.
To be able to AutoEnroll a Certificate from the RootCA, you actually need a permission to do this.
In Windows 2003 Service Pack 1, Microsoft changed a bit how you get this permission.
The way to get this permission under SP1, is to be a member of a group called “CERTSVC_DCOM_ACCESS”.
The problem happens when you install your RootCA on a DC’s.
You see, this group is actually a local group, but DC doesnt have local groups.
So when you install the RootCA on a DC, it creates this group in your AD.
To solve this issue, follow those steps:
1. go to your RootCA server.
2. Open “Active Directory Users and computer”
3. locate “CERTSVC_DCOM_ACCESS” group (should be under “Users” Container).
4. Add “Domain Controllers” group to the “CERTSVC_DCOM_ACCESS” group members.
5. Restart “MSDTC” service (called “Distributed Transaction Coordinator”).
The next interval the DC will try to AutoEnroll it will get a Certificate from the RootCA.
You can read a bit more about the changes that Microsoft introduced to DCOM service under SP1 here.